A major operational error has resulted in the issuance of at least one million browser-trusted digital certificates from GoDaddy, Apple and Google that don’t comply with binding industry mandates.
The misconfiguration is the result of open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code, independent security researcher Adam Caudill said in a blog post.
“It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B Forum Baseline Requirements that state it must contain 64 bits of output from a secure random number generator (CSPRNG),” Caudill said. “As a result of this finding, 2,000,000 certificates or more may need to be replaced by Google, Apple, GoDaddy and various others.”
Fortunately there is almost no chance that the certificates will be exploited since they are now generated using SHA256 which doesn’t have the same known vulnerabilities of MD5, and the 64-bit requirement is more of a deterrence against new attacks that will likely be discovered in future decades.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said that TLS digital certificates function as machine identities and establish what is good and trusted on the Internet and business networks.
“Unfortunately, Google, Apple and GoDaddy just discovered they’ve issued millions of machine identities that don’t comply with industry standards, so they all should be replaced,” Bocek said. “The reality is that the vast majority of organizations lack even the most basic intelligence about where they are using machine identities.”
Bocek added that replacing a single digital certificate can take hours and they certainly don’t have automated processes to replace large numbers of them so many businesses are going to feel a lot of pain. Furthermore, if the replacement process isn’t done correctly it could introduce new vulnerabilities and cause business systems to fail.