A major operational error by GoDaddy, Apple, and Google has resulted in the issuance of at least 1 million browser-trusted digital certificates that don’t comply with binding industry mandates. The number of non-compliant certificates may be double that number, and other browser-trusted authorities are also likely to be affected.
The snafu is the result of the companies' misconfiguration of the open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code. By default, EJBCA generated certificates with 64-bit serial numbers, in keeping, it seemed, with an industry mandate that serial numbers contain 64 bits of output from a secure pseudo-random number generator. Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer. As a result, the EJBCA default produced a serial number with 63 bits of entropy.
[...]Section 7.1 of the Baseline Requirements for publicly trusted certificates [SUB: link is to a PDF] is clear that the minimum threshold for serial numbers must be no fewer than 64 bits of entropy. The 2016 ballot that enacted this requirement referred to a 2008 proof-of-concept hack in which researchers, using a raft of PlayStation consoles to generate cryptographic collisions in the MD5 hash algorithm, essentially became a rogue authority that could generate browser-trusted certificates at will. In 2012, state-sponsored malware dubbed Flame used a similar technique to hijack Microsoft’s widely used Windows update mechanism.
“This is a big deal for CAs and their customers,” Caudill told Ars. “The impact of replacing large numbers of certificates is substantial. From a threat perspective though, this isn’t exploitable. It would require a major breakthrough in cryptography, and even then, 63 bits of entropy provides a huge safety margin. This is a problem because of impact to people and companies; hackers aren’t going to start forging certificates because of this.”
In online forums discussing the problem, a GoDaddy official initially said his company issued more than 1.8 million certificates that didn’t comply with the 64-bit requirement. Under industry rules, GoDaddy had five days to revoke the certificates, but GoDaddy said it wouldn’t be able to make that deadline for all the certificates identified.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @12:57AM (1 child)
Are you kidding me? An "engineer" had never heard of a sign bit [wikipedia.org]? Where did they get their degree, w3schools?
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @02:11AM
I think it means "once Engineers got to see what the code monkeys had produced, they discovered that bit 63 was MBZ."
(Score: 2) by hendrikboom on Thursday March 21 2019, @12:57AM (4 children)
So, just one bit is enough to make it secure? Can't an attacker just get more playstations?
(Score: 4, Funny) by Anonymous Coward on Thursday March 21 2019, @01:07AM
Q: "Can't an attacker just get more playstations?"
A: Yes.
Q: "How much longer will it take with more playstations?"
A: A bit.
(Score: 2) by FatPhil on Thursday March 21 2019, @01:12AM
However, a SHALL is a SHALL is a SHALL (is a MUST), so broken is broken.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @01:48AM
one bit is the difference between needing the life of the universe to brute force something vs half the life of the universe to brute force something. Or 4 minutes instead of 2, for an easier problem.
(Score: 2) by driverless on Saturday March 23 2019, @03:00AM
Read the mind-numbingly dull series of threads covering this [google.com] that have been going on for over a month now. The value of 64 bits is an arbitrary number pulled out of thin air, somewhere in the discussion some guy went and tracked down a bunch of academic papers that cover this and none of them give this value anywhere. There's been an endless debate over what is and isn't compliant, which eventually boiled down to "you must have 64 bits in this form because the spec says so even if it doesn't make any sense". So now some CA's are coming forward to say they probably aren't compliant, while the rest seem to be keeping quiet and hoping it'll blow over if no-one notices them.
The important point is that it's not a security issue, it's failure to engage in sufficient virtue signalling to satisfy the CA/Browser Forum who created the docs.
(Score: 3, Informative) by FatPhil on Thursday March 21 2019, @01:07AM (1 child)
"... built using Java (JEE) technology."
"Robust ..."
Clearly not!
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @05:46AM
Is the "language" you're referring to Java or English? Because either one fits your post.
(Score: 2) by sjames on Thursday March 21 2019, @01:53AM
In theory, if they use a strong random source, they should only need to recall half of the certificates.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @02:09AM
These three companies are powerful figures of the internet. They can just declare the new status quo.
Fuck, even Commodo was too big to penalize.
(Score: 3, Funny) by realDonaldTrump on Thursday March 21 2019, @02:21AM
M.S.M. Critics went ABSOLUTELY NUTS! These guys issued millions, it made the cyber news. But, where is M.S.M.? Double standard!!
(Score: 1) by fustakrakich on Thursday March 21 2019, @05:46AM
Even if it was misused in the summary.
The fuck ups are perfectly normal. The lawyers and accountants will handle it.
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @07:04AM (5 children)
The funny thing is that not only did Google screw this up, but they are the most vulnerable. Google Chrome only checks the CRLsets for revocation by default, and that is limited to the most "dangerous" certificates out there. The fun thing is that they also block certain test sites, for example https://revoked.badssl.com [badssl.com] will be blocked, but https://revoked.grc.com/ [grc.com] does not). It will not check the certificates CRL, nor do an OCSP check. Funny thing is, there was a bug in the implementation, so older versions won't even verify a stapled OCSP response either.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @07:49AM (3 children)
https://revoked.grc.com/ [grc.com] doesn't seem to have an SSL certificate?
Open the website in Firefox and the SSL cert can't be seen.
Or, is that the problem here. That the site doesn't have an SSL cert.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @09:15AM (2 children)
The web page responds SEC_ERROR_REVOKED_CERTIFICATE as a test to verify that your browser at least checks the CRL [grc.com].
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @09:33AM (1 child)
How can the invalid SSL certificate be viewed?
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @12:25PM
That certificate is invalid only in the sense that has been revoked, deliverately, to be used as a test.
Don't know the specific way to view it within a browser or how to skip the warning, if there is any, but to retrieve any certificare you can use openssl:
Unfortunately openssl doesn't make it easy to automatically check the CRL for a certificate.
(Score: 0) by Anonymous Coward on Thursday March 21 2019, @10:05AM
Both sites respond with An error occurred during a connection to revoked.badssl.com. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE