How a typo puts tens of thousands of certificates at peril

Last week, DigiCert, the former Belnet certificate provider, announced that it should revoke its EV certificates. This announcement had a major impact on Belnet but also on many organizations in its community. Why did DigiCert have to take this drastic step?

One of the main benefits of the internet as we know it today, is the degree of freedom, number of possibilities and freedom of expression it gives to all of us. The democratic nature of the internet, the amount of freedom and accessibility, allows many people to use the internet on a daily basis, without much fuzz and administration, but also without any structured form of identification or authentication. The anonimity that a user enjoys when browsing the web, has some consequences. People are frank and unburdened by consequences, truly expressing their opinions, while others are quick to abuse this anonimity.

Certificates to guarantee trust

To be sure you are not fooled when visiting a webservice, a certification method has been established. These certificates can be acquired through trusted institutions, and have several levels of security or validations. In order to maintain the trust, these institutions have to be validated themselves frequently.

One of these validation steps has been incorrectly registered, thus not including certain validation machines in the auditing process. This error has been noted by a Google employee and published publicly. This effectively means that the certificates, issued by these non-validated machines are no longer trusted. It concerns the certficates of the type "Extended Validation" (EV certificates).

Important consequences

Several of the trusted institutions (also known as The certification authority or CA) are impacted. The CA that issued the certificates for the Belnet customers, DigiCert, has taken immediate action and has issued a statement on the 8th of July, citing that it would revoke the affected EV certificates within the documented timeframe, which is 7 days. The bitter irony here is that because of the added security and validation steps, these measures were really short term to protect against breaches of trust quickly.

Concretely, owners of such EV certificates had to request a new certificate to replace the old, revoked EV-certificate. As Belnet has changed it's certificates provider recently (from DigiCert to Sectigo), customers were urged to request the new certificate at Sectigo. Although we have not been able to request these certificates for our customers, we have endeavored to assist and support them as best we can.

Copyright © 2020 Belnet.