This Thursday, the global internet was disrupted. Due to the expiration of a root certificate provided by Let’s Encrypt, one of the largest providers of HTTPS certificates, many websites and web services have indeed encountered problems.

Scott Helme, founder of Security Headers, followed the issue. He says that IdentTrust DST Root CA X3 expired around 4 p.m. PST and millions of websites rely on the services of Let’s Encrypt: without them, older devices will no longer be able to verify certain certificates. .

Let’s Encrypt is a free, non-profit service that ensures that connections between a device and the internet are secure and encrypted.

Updates needed

The warning was issued: the certificate expiration date would be September 30. However, on the same day, dozens of users were surprised and reported problems with various web services and on numerous websites.

Scott Helme confirms to ZDNet that he spotted issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify, and Cloudflare Pages. He adds that there could be others.

“Depending on the exact nature of the problem, there are several ways to solve it. But, in short, the service / website needs to update the certificate chain it serves to clients, or the client talking to the website / service needs an update, ”says the researcher. “For the businesses involved, it’s not like everything is down, but they certainly have service issues and ongoing incidents that staff are working to resolve. In many ways, I’ve been talking about it for over a year, but it’s a difficult problem to identify. It’s like looking for the cause of a fire: it’s really obvious when you see the smoke! “

Some sites and services have warned of potential issues, but many have already fixed them. Shopify, for example, posted a note around 9:30 p.m. indicating that the services of merchants and partner businesses that were having trouble logging in had been restored, along with merchant authentication to be able to interact with support.

Dependence on certificates

Fortinet is aware of the issue with the expired root certificate provided by Let’s Encrypt. The company tells ZDNet that it has reviewed it. “We are communicating directly with customers and have provided a temporary workaround. In addition, we are working on a longer term solution to address this borderline problem directly in our product, ”the company said in a statement.

Digital certificate expert Tim Callan explains that all modern digital systems depend on certificates for their continued operation, especially those that secure our cyber and physical environments.

“If software depends on an expired root to validate a certificate’s chain of trust, then the certificate’s trust will fail and, in most cases, the software will stop functioning properly. The consequences of this failure are as large and varied as our individual systems are, and many times cascading failures or “downstream” failures lead to problems in systems entirely different from the one presenting the initial trust problem. certificate, ”he describes.

“Computer systems that enforce or monitor security policies may stop functioning. Alerting and reporting systems can fail. Or, if the processes that humans depend on to do their jobs stop functioning, often these people will find “workarounds” that are inherently insecure. “

Old devices affected

Tim Callan adds that outages can occur when developers in line-of-business operations or other “skunkworks” -type projects “get certificates” without the knowledge of central IT, then move on to new tasks. , or fail to monitor the lifecycle of these certificates.





He points out that most systems will be able to withstand the expiration of one root thanks to modern root chaining capabilities that allow another root to establish trust. “However, older systems, or those with bugs handling unpatched (or unknown) certificates, are at risk of such failures. In the case of a root commonly used by a popular certification authority, the risk of these failures increases dramatically, ”he warns.

TechCrunch reports that devices that may experience issues include older computers running macOS 2016 and Windows XP (with Service Pack 3), as well as older versions of PlayStation and any tool based on OpenSSL 1.0.2 or earlier. According to other experts, PlayStation 4 or older devices whose firmware has not been updated will not be able to access the internet. Devices running Android 7.1.1 or earlier will also be affected.

Certificate inventory

According to Tim Callan, most modern software allows the use of sophisticated chains of trust that allow root transitions without requiring replacement of production certificates. But those that are old, poorly designed, or contain chain of trust management bugs may not properly handle this transition, leading to a variety of potential failures.

As many affected companies have since done, the researcher suggests that companies take an inventory of systems using certificates and actually used certificates before ensuring that software has the latest root certificates in its root store.

“By identifying potential points of failure, IT departments can investigate these systems in advance, to identify problem areas and implement fixes. If you can set up a version of the system in a sandbox environment, then it’s easy to test the expected behavior after root expiration occurs, ”he advises. “You just need to set the client system clock to a date after the expiration date to ensure certificate chaining will work properly. Alternatively, you can uninstall manually or beware of the root that should expire (in the sandbox environment, of course) to ensure that systems only use the most recent roots. “

The researcher adds that the popularity of DevOps-friendly architectures like containerization, virtualization and the cloud has dramatically increased the number of certificates the business needs, while dramatically decreasing their average lifespan. “This means a lot more expiration events, a lot more administration time needed, and a dramatically increased risk of renewal failure,” he warns.

Allow invalid certificates? A bad idea

Digital Shadows Senior Cyber ​​Threat Analyst Sean Nikkel tells ZDNet that Let’s Encrypt warned in May of the root CA expiration for September 30. The company had even offered alternatives and workarounds to ensure that devices would not be affected during the switch.

The company has also opened a discussion thread on the forum on this subject, and is responding fairly quickly, he adds.

“A not very good practice that has already been proposed as a solution to the problem is to allow untrusted or invalid certificates. Users should be careful before making a decision that potentially opens the door to attackers using compromised certificates, ”warns the analyst.

“Some users have recommended settings to allow expired certificates from trusted issuers, but these can also have malicious uses. Either way, admins should consider the best solution for them, but also understand the risks of any workaround. Additionally, administrators can consider alternative trust paths by using the intermediate certificate that Let’s Encrypt has in place, or by following the configurations suggested in their May newsletter. “

Source: ZDNet.com