The Slow Certificate Authority

- Anecdotes, Security

Snail

Last year, I wrote about multiple issues I encountered upon switching web hosts. One of these issues was delay violations from Sectigo (formerly Comodo CA) for revoking old certificates compromising the HTTPS connection to my website. This spawned a saga with Mozilla, the organization behind Firefox, that is interestingly still not fully resolved as of this writing.

How Mozilla got involved

As I mentioned in my previous post, I needed to revoke old certificates validating the HTTPS connection to my domain debigare.com that were controlled by my previous hosting provider to mitigate a security issue. To be trusted by browser vendors, a Certificate Authority (CA) is supposed to revoke certificates within 24 hours once the proper conditions are met. In my case, the CA, Sectigo, took more than 5 days to perform the revocation, and were also unreasonably slow in replying to my emails about this.

As such, I sent a violation report to Mozilla's dev-security-policy mailing list to notify them of the issue I encountered. This caused Wayne Taylor, the CA Program Manager at Mozilla, to open an official issue requesting a formal Incident Report from Sectigo about my case.

How Sectigo responded

Sectigo took their sweet time to finally provide the Incident Report - more than 2 months past Mozilla's soft deadline to do so, in fact. Soon after, they have posted a long-term remediation to prevent such incidents from occurring again - an automated service for revocation. Good idea!

However, it took exactly 1 year since the formal Incident Report was requested from Mozilla before they were satisfied with its resolution. And even at that point, Sectigo's resolution portal still was not supporting wildcard certificates like those I had to revoke myself. I actually still have no idea as of this writing if that missing feature has been implemented since or not.

Why did it took so long? Honestly, I'm not sure. What is clear however is that during that period, Sectigo was generally slow to respond to queries, and rarely provided status reports without being requested for one, even for deadlines that Sectigo themselves had set. I counted 5 times in the entire issue thread where a response was requested after abnormal delays.

But even though that issue is officially closed, it is not the end of the story.

Wait, there's more?

So Sectigo was slow to handle my issue with me personally, and Sectigo was also slow to fix its root cause with browser vendors. Turns out, it pretty much looks like Sectigo is just pretty slow in general when it comes to technical support.

Ryan Sleevi, a Staff Software Engineer at Google and peer of the CA Certificates Module for Mozilla, seems to agree. In fact, he opened a new official issue requesting Sectigo to provide a formal Incident Report about being slow to provide Incident Reports. No, really. And my own issue is the first example he provided in the description.

This may sound surprising, but honestly, the whole reason I reported the original incident to Mozilla in the first place was because I was actually hoping for a broader issue like that to be revealed.

In any case, that new issue was created more than 4 months ago, and as of this writing, is still unresolved.

The saga continues...

Related articles I wrote

Illusion of Gaia logo

Beating Illusion of Gaia in 17 minutes

- Video Games, Security

I crafted a tool-assisted speedrun (TAS) of the Super NES action-adventure game Illusion of Gaia (also known as Illusion of Time in Europe) which beats the game as fast as possible on the American version. The final time is 16:48 when using TAS timing (from initial power on to the last input) and…

PlayStation Vita

Fixing Playstation Vita Error Code NP-9968-2, and Why Sony Should Care

- Video Games, Security, Anecdotes

For about 2 years, I was not able to install any new software on my PlayStation Vita, for seemingly no reason. I could make new purchases from the PlayStation Store, but the download would always fail, and only on my Vita. No issues whatsoever with my PlayStation 3 nor my PlayStation 4, but for some…

Brandon Dillon as the ghost of Amnesia Fortnight future

The Hack 'n' Slash Puzzle Collection

- Video Games, Security

This is a collection of all the secret hacking puzzles released between 2012 and 2015 related to the video game Hack 'n' Slash and its prototype. As far as I'm aware, all puzzles were designed by the game's project lead Brandon Dillon. All the material is archived here for preservation purposes…

Man reading emails on his laptop

Pluralsight Course - Configuring and Managing SPF, DKIM, and DMARC

- Security

Configuring and Managing SPF, DKIM, and DMARC is a beginner-friendly course about email security produced by yours truly. It is designed for security professionals and web domain administrators. Email deliverability is a constant challenge for organizations, but this challenge is widely amplified if…

Wii RVT-R Reader test kit

The Test Case that Bricked a Wii Test Kit

- Anecdotes, Quality Assurance, Video Games

Back when I was working at Eidos Montréal, part of my responsibilities included ensuring that the games we were producing for the Wii followed Nintendo's Wii Programming Guidelines. This is the story of how I bricked a Wii RVT-R Reader test kit by doing my job…

See all of my articles