EPIC CA Fails
June 2024
Entrust Incident March-May 2024
(Google Chrome 127
and higher distrust certificates issued by Entrust roots whose
earliest Signed Certificate Timestamp (SCT) is dated after October
31, 2024)
Entrust, one of the oldest Certification Authorities (CAs), is in
trouble with Mozilla and other root stores. In the last several years,
going back to 2020, there have been multiple persistent technical
problems with Entrust’s certificates. That’s not a big deal when it
happens once, or even a couple of times, and when it’s handled well. But
according to Mozilla and others, it hasn’t been. Over time, frustration
grew. Promises were made, then broken. Finally, in May, Mozilla compiled
a list of recent issues and asked Entrust to formally respond.
Entrust in Trouble
Summary of Entrust Incidents - March-May 2024
Recent Entrust Compliance Incidents - Google Group
Sustaining Digital Certificate Security - Entrust
Certificate Distrust - Google Security Blog
June 2023
Lets Encrypt's Signature Saga: A Tale of Certificates
Gone Astray
Let's Encrypt, a popular certificate authority, recently experienced an
outage resulting in the issuance of certificates with invalid
signatures. The incident occurred during a planned change in their
certificate configuration, causing discrepancies between the
precertificates and the final leaf-certificates.
As a result, these certificates did not work in Chrome or Safari.
Asap the problem was reported, the certificate authority paused
issuance, resolved the issue, and revoked the affected certificates as
per the Baseline Requirements. To delve into the incident's details,
including the root cause and impact, you can refer to the detailed blog
post available at:
https://www.agwa.name/blog/post/last_weeks_lets_encrypt_downtime.
June 2023
HiCA's Unconventional Certificate Obtaining Process
Raises Concerns
HiCA, has been found injecting arbitrary code into the certificate
obtaining process, raising questions about its safety and intentions.
The company's deviation from standard ACME protocols and its use of
unconventional practices, including executing remote commands, pose
potential security risks. For more details on the incident and its
impact, refer to the comprehensive analysis in the detailed post:
https://github.com/acmesh-official/acme.sh/issues/4659.
March 2020
Boulder Bug Let's Encrypt discovered a bug that lead to revocation millions of issued certificates issued.
March 2018
Private Keys Breach Due to compromise of private keys, Digicert announced revocation of approx 20k Symantec certificates including GeoTrust, Thawte and RapidSSL Brand.
September 2017
Inadequate Control Symantec had issued many certificates without proper validation due to malfeasance by Symantec, leading to the distrust of Symantec by all major platforms.
September 2017
Inadequate Control Numerous issures centering around the mis-issues of SSL certificates.
January 2017
Business Partner Blunder Overriding Symantec complaince flags to bypass domain validations.
October 2016
Abuse of Trust Numerous questionable practices such as backdating SHA-1 certificates.
October 2016
Technology Malfunction OCR failure results in issuing of certificates to the wrong entities.
August 2016
Technology Malfunction Faulty upgrade allows certain servers to bypass authentication process.
August 2016
Abuse of Trust Caught issuing certificates to Non-domain owners.
July 2016
Technology Malfunction Dangling markup injection issues arbitrary wildcard certificates.
February 2016
Technology Malfunction Systems incorrectly parse email addresses leaving them open to abuse.
September 2015
Human Error Mis-issues test certificates without review by authentication personal.
March 2015
Inadequate Control Issued certificate to a misconfigured priviledged email on Microsoft's live.fi.
March 2015
Abuse of Trust Unconstrained intermdetiate certificate issued for network interception.
July 2014
Inadequate Control Weak process mis-issued several unauthorized google certificates.
December 2013
Business Partner Blunder Subordnate CA mis-issued intermdeiate certificate, later abused by user.
December 2012
Human Error Issues two intermediate certificates, enabling user to perform MITM attacks.
September 2011
Compromise Voluntarily suspended issuance while investigating breach.
August 2011
Hacker Compromise Hacked Systems issued hundreds of fraudulent certificates.
June 2011
Hacker Compromise Breach causes CA to temporarily suspend certificate issuance.
March 2011
Hacker Compromise Comodo reseller bypasses security mechanism to mis-issue Mozilla.com certificate.
December 2008
Business Partner Blunder Mis-issues certificate for login.live.com via emails.
July 2008
Inadequate Control Mis-issues certificate for login.live.com via emails.