GlobalSign Error Causes Widespread Internet Issues

An anonymous reader writes: GlobalSign, one of the root CAs globally, has 'inadvertently revoked its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified sites' SSL/TLS certificates. It could take days to fix, leaving folks unable to easily read their favorite webpages.' The issue may take up to four days to resolve itself.Two hours ago, GlobalSign said it was able to identify the problem, but due to caching issues, many of its customers were still experiencing issues.

Re:

[ganjadude]

arstechnica was giving me hell all day. it would work, then it wouldnt. not sure if related but its not usual i have issues with ars

Was getting this error last night

[Hognoxious]

Was getting this error last night. Crapdot, yesterday's news tomorrow!

You must be out of breath, you fat cunt.

[Hognoxious]

The fact that you got the error does not explain the cause of the error.

Well you've got me there, because I totally claimed that it did. Oh hang on, I didn't.

This is news regardless of what some self-centered, basement-dwelling mouthbreather like you thinks.

One, I live on the 3rd floor. Two - 12 hours behind - that's more olds than news. Slight hint there, if you'd bothered to read the whole post. Did your finger get tired, ChrisMaple?

Nothing to see here

[Anonymous Coward]

Just the NSA inserting themselves into another certificate system. Carry on.

Their email to us

[Anonymous Coward]

This is what I got in my inbox at 11:56 PST

Dear Valued GlobalSign Customer,

In follow up to our earlier email communication describing the issue you are experiencing with your GlobalSign certificates, our engineering and support staff have put together a troubleshooting guide that will help you resolve the certificate revocation error. We will continue to update this troubleshooting guide as new updates are added.

OCSP Revocation errors - troubleshooting guide: https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-errors---troubleshooting-guide

If you continue to have issues, we welcome you to open a support ticket here: https://support.globalsign.com/customer/portal/emails/new

Thank you as we continue to work to resolve this issue. We will communicate additional updates with you.

Lila Kee
Chief Product Officer
GMO GlobalSign

US +1 603-570-7060 | UK +44 1622 766 766 | EU +32 16 89 1900
www.globalsign.com/en

Happened to me

[110010001000]

This happened to me when trying to read the previous article on theguardian. With Chrome I didn't see an easy way to get around it. I am sure there is a way in the settings, but who bothers with trying to figure that out.

Everything is going to be messed up

[Waffle Iron]

It turns out that when you're facing east, north is actually on your right. Why did it take so long for people to discover such a fundamental global sign error?

Re:

[Hognoxious]

That's just like the town where I grew up. And I was born with a plastic spoon in my mouth.

Re:Everything is going to be messed up

[ganjadude]

plastic spoon? well hot dog you must come from royalty. All we got is these here sticks we dun found in the yard

SNAFU...

[Feral Nerd]

Facebook once forgot to renew some certificate on one of its user tracking systems. For about half a day I could not go anywhere on the internet with the exception of a few really ancient pages written in archaic HTML without getting at least three nag-windows complaining about an expired Facebook SSL certificate.

Is that all?

[Yggdrasil42]

"unable to easily read their favorite webpages"
Oh, that's allright then.

I pity the sysadmins working overtime tonight.

Re:

[vtcodger]

Gee. You don't think that it could be possible that doing computer security even adequately is beyond what people are capable of actually doing? Golly, that might mean that e-commerce is doomed and that all computers are really good for is research and entertainment.

That might put a kink in some folks plans to promote the cloud into a vehicle that will enrich them beyond all belief.

Well on the plus side

[Anonymous Coward]

On the positive side, at least this shows that some CRL and OCSP servers are actually responding and that browsers are using them. That's good news. Oftentimes those damn servers don't respond.

Re:

[ganjadude]

arstechnica kept screwing up for me earlier in the day

Caching

[Tablizer]

but due to caching issues, many of its customers were still experiencing issues.

Caching can be a PITA. Our org's default PDF viewer caches pages, and we constantly get complaints about users seeing outdated info. It doesn't respect the usual conventions of "no-cache" meta tags and even F5. Adding a random URL parameter sometimes works, sometimes not.

Isn't caching also a security risk? If you discover bad content, such as malicious embedded JavaScript, you'd want it replaced immediate with the good version

Re:

[bill_mcgonigle]

We need DNSSEC and DANE. Let people get and offer multiple DANE records for multiple CA's so when one of them fucks up (like this, or they get untrusted for acting like typical CA's do these days) the client can follow the other chain.

Browsers can have a quality meter that shows how good the trust metric is - a few sigs for a cert would increase the score, absent other metrics.

When the DNSSEC root gets a 2048-bit signature in the next year, we'll see adoption start to creep up. We do have all the tech now

Re:

[fredan]

We need DNSSEC....

No we don't.

Funny

[Archfeld]

For the last week I've been getting NAG popups on Slashdot relating to improperly named and/or dated cert's from ADS served up. The related name is optim something or other and was generally date related. I finally turned on AD blocking to stop the recursive, very intrusive pop-ups. If this continues I'll just leave the AD blocker up and to hell with supporting /. The quality of ads has taken a severe downturn here and the continued auto play ads are really beginning to annoy. As much better as the place wa

Sad...

[Stormy Dragon]

To discover the headline was "(Global Sign) Error..." and not "Global (Sign Error)..."

Is there compensation?

[real gumby]

Globalsign being an American company, do they owe anyone money?