A world of injuries after GoDaddy, Apple and Google have badly issued> 1 million certificates

A major operational error by GoDaddy, Apple and Google has resulted in the issuance of at least one million trusted digital certificates for browsers that do not comply with the sector's binding obligations. The number of non-compliant certificates can be double that number, and other browser-approved authorities are also likely to be affected.

The snafu is the result of the misconfiguration of the EJBCA Open Source software package used by many trusted browser authorities to generate certificates that secure websites, encrypt e-mails, and sign code. By default, EJBCA generated certificates with 64-bit serial numbers, which appeared to correspond to an industry mandate: the serial numbers contain 64 bits of output from a pseudo random number generator secured. After further examination, the engineers discovered that one of the 64 bits had to be a fixed value for the serial number to be a positive integer. As a result, the EJBCA defect generated a serial number with 63 bits of entropy.

The 63 bits are far from the required 64 bits and therefore pose a theoretically unacceptable risk for the entire ecosystem. (Practically, there is virtually no chance that the certificates will be exploited in a malicious way – more information about this later.) Adam Caudill, a security researcher who wrote on a blog about the generalized bad mass last weekend, pointed out that it was easy to think that a difference of one bit would be largely inconsequential when we consider the figures of this cut. In fact, he said, the difference between 2⁶³ and 2⁶⁴ is more than 9 quintillions.

Section 7.1 of the Basic Requirements for Public Trust Certificates clearly states that the minimum threshold for serial numbers shall not be less than 64 bits of entropy. The 2016 ballot that promulgated this requirement referred to a 2008 proof-of-concept hack into which researchers, using a set of PlayStation consoles to generate cryptographic collisions in the MD5 hash algorithm, are essentially become an unauthorized authority capable of generating trusted certificates for browsers. will. In 2012, state-sponsored malware, called Flame, used a similar technique to hijack Microsoft's widely used Windows update mechanism.

Almost no chance of exploitation

That said, despite the shortcomings of the erroneously issued certificates, there is very little chance that their non-compliant entropy can be exploited. Certificates are now generated using SHA256, a modern algorithm that does not contain the known vulnerabilities of MD5. The 64-bit requirement, on the contrary, is rather to insure against new attacks that will likely be discovered in the coming decades.

This means that even if the revocation and reissue of 1 to 2 million certificates (at the time of publication of this article, the researchers were still debating), is a major undertaking, the error is virtually nonexistent. .

"It's a big problem for CAs and their clients," Caudill told Ars. "The impact of replacing a large number of certificates is considerable. From the point of view of the threat, this is not exploitable. This would require a major breakthrough in cryptography and, even in this case, 63 bits of entropy provide a huge margin of safety. This is a problem because of its impact on people and businesses; hackers will not start forging certificates for this reason. "

A GoDaddy official told online forums that his company had issued more than 1.8 million non-standard 64-bit certificates. According to industry rules, GoDaddy had five days to revoke the certificates, but it was not able to set the deadline for all identified certificates.

"In the next 30 days"

"Our goal is to reissue all certificates within the next 30 days," wrote Daymion Reynolds, senior director of SSL / PKI security products at GoDaddy. "We started the revocation process. We have a large number of customers who use manual methods to manage their certificates. It is therefore difficult to be agile for them. We want our customers to use https throughout the revocation period. Due to the large number of certificates and the benign nature of the problem, our plan is to revoke the obligations responsibly. "

In an update released Tuesday, Reynolds revised the estimate of poorly issued live certificates to about 12,000 and 273,784 "orphan" certificates, which means that they were stopped at mid-issue for reasons such as the cancellation of the applicant and system errors. Reynolds said the initial estimate of more than 1.8 million certificates was based on "a more aggressive than necessary criterion". Caudill and other researchers asked Reynolds to provide additional details before accepting the revised number.

An Apple official said that the total number of non-compliant certificates that his company had issued was about 878,000, although the number of certificates still valid, unexpired and not revoked last Thursday, is about 558,000 A Google manager estimated that the company had issued more than 100,000 certificates of non-compliance since 2016, but that by the end of last month, only 7,100 of them were still valid.

Apple and Google use their trusted authorities publicly to issue certificates for use internally and by affiliated organizations. Caudill said that other certification authorities could also be affected.

A representative from Apple told Ars that the company had taken the following steps:

• Stop issuing certificates with non-compliant serial numbers and continue working with users to revoke the certificates concerned
• Configured the software to generate 16-byte serial numbers, providing 64-bit entropy
• Alerts restored for detection of serial numbers whose length is considered insufficient
• Improved validation software that verifies the compliance of SSL certificates to certificates to evaluate certificate collections instead of individual certificates. These improvements should be implemented by April 30, 2019.

Google representatives have not responded to the e-mail requesting a comment for this message.