More than two thousand websites with extended validation certificates stopped working this weekend and are no longer accessible today (Monday), including those run by banks, governments and online stores. The EV certificates used by these websites were revoked on Saturday and have yet to be replaced. Most visitors using modern web browsers are completely blocked: this certificate error cannot be bypassed in Chrome, Firefox, Safari or Microsoft Edge.
The unavoidable revoked Chrome interstitial for Chrome at online.anz.com. ANZ is one of the "big four" Australian banks.
Last week DigiCert found a reporting mismatch when examining EV certificates. As part of its response, DigiCert committed to revoke the certificates, which are set to be completed in the coming weeks. Only a subset of DigiCert's EV certificates are affected: In the July SSL server survey, Netcraft found 17,200 EV certificates in active use on port 443 that should be revoked.
The first cancellation instructions took place this weekend. While most of the certificates revoked on Saturday July 11th were correctly replaced and reinstalled, many did not.
On Monday morning, Netcraft found 3,800 locations that are still using EV certificates issued by the affected sub-CAs. Of those 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the websites for users in modern browsers that are more robust in handling EV revocation than other types of certificates. The rest has yet to be revoked.
Many organizations appear to have been caught unexpectedly and continue to use revoked EV certificates, including the State Bank of India, Rackspace, Authorize.net, ANZ Bank, and Telegram.
Authorize.net with a revoked EV certificate
The New Zealand government is using a revoked EV certificate
Wirecard, the beleaguered German payment processor, briefly had its main page www.wirecard.com, on which a certificate warning was displayed early on Monday. However, the certificate has now been replaced by a functioning non-EV certificate. There are still a number of Wirecard domains with revoked certificate warnings.
The Baseline Requirements and EV Guidelines, the de facto rule books for running a CA, define two blackout periods for subscriber certificates: 24 hours for major security issues and 5 days for less severe issues. If a certification body fails to meet these deadlines, this will be highlighted in subsequent audits. Too many errors and a certification authority can go the way of StartCom and Symantec, creating suspicion and effectively killing the ability to issue certificates that work in modern web browsers.
These time limits apply to all publicly trusted certificates, whether they are used on public websites, in hardware appliances, ATMs, or in healthcare. While this is often useful for non-browser use cases, it means that the provision of publicly trusted certificates must be carefully considered. You may need hours to replace compromised certificates or replace an entire population of certificates within days.
This expectation of agility is reflected in the ongoing effort to shorten the maximum lifetime of certificates – on Apple devices in Google Chrome and Firefox, it is expected to drop to just over a year in September.
However, ACME, the protocol used by Let's Encrypt, DigiCert, Sectigo, and others, does not yet offer robust, built-in support for instant certificate replacement when a revocation is pending. When Let & # 39; s Encrypt faced a similar mass revocation incident, its instructions also required manual intervention in certbot. Let & # 39; s Encrypt also failed to meet the 5-day expectation in its response to this incident.