More than two thousand websites that use Extended Validation Certificates stopped working this weekend and are no longer accessible today (Monday), including those run by banks, governments and online stores. The EV certificates used by these websites were revoked on Saturday and have yet to be replaced. Most visitors using modern web browsers are completely blocked: this certificate error cannot be bypassed in Chrome, Firefox, Safari or Microsoft Edge.
The unavoidable revoked Chrome interstitial for Chrome at online.anz.com. ANZ is one of the “big four” Australian banks.
Last week DigiCert found a reporting mismatch when examining EV certificates. As part of its response, DigiCert committed to revoke the certificates, which are set to be completed in the coming weeks. Only a subset of DigiCert’s EV certificates are affected: In the July SSL server survey, Netcraft found that 17,200 EV certificates are actively being used on port 443 and are to be revoked.
The first cancellation instructions took place this weekend. While most of the certificates revoked on Saturday July 11th were correctly replaced and reinstalled, many did not.
On Monday morning, Netcraft found 3,800 locations still using EV certificates issued by the affected sub-CAs. Of those 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the websites for users in modern browsers that handle EV revocation more robustly than other types of certificates. The rest has yet to be revoked.
Many organizations appear to have been caught unexpectedly and continue to use revoked EV certificates including State Bank of India, Rackspace, Authorize.net, ANZ Bank, and Telegram.
Authorize.net with a revoked EV certificate
The New Zealand government is using a revoked EV certificate
Wirecard, the beleaguered German payment processor, briefly had its main page www.wirecard.com, on which a certificate warning was displayed early on Monday. However, the certificate has now been replaced by a functioning non-EV certificate. There are still a number of Wirecard domains with revoked certificate warnings.
The Baseline Requirements and EV Guidelines, the de facto rule books for running a CA, define two blackout periods for subscriber certificates: 24 hours for major security issues and 5 days for less severe issues. If a certification body fails to meet these deadlines, this will be highlighted in subsequent audits. Too many bugs and a certification authority can go the way of StartCom and Symantec, creating suspicion and effectively killing the ability to issue certificates that work in modern web browsers.
These time limits apply to all publicly trusted certificates, whether they are used on public websites, in hardware appliances, ATMs, or in healthcare. While it is often convenient to use for trusted, non-browser use cases, it does mean that careful consideration must be given to providing publicly trusted certificates. You may have to replace compromised certificates with a period of hours or replace a whole series of certificates within a few days.
This expectation of agility is reflected in the ongoing effort to shorten the maximum lifetime of certificates – on Apple devices in Google Chrome and Firefox, it is expected to drop to just over a year in September.
However, ACME, the protocol used by Let’s Encrypt, DigiCert, Sectigo, and others, does not yet offer robust, built-in support for instant certificate replacement when a revocation is pending. When Let’s Encrypt faced a similar mass withdrawal, its instructions also required manual intervention with certbot. Let’s Encrypt also failed to meet the 5-day expectation in its response to this incident.