The Slow Certificate Authority

- Anecdotes, Security

Snail

Last year, I wrote about multiple issues I encountered upon switching web hosts. One of these issues was delay violations from Sectigo (formerly Comodo CA) for revoking old certificates compromising the HTTPS connection to my website. This spawned a saga with Mozilla, the organization behind Firefox, that is interestingly still not fully resolved as of this writing.

How Mozilla got involved

As I mentioned in my previous post, I needed to revoke old certificates validating the HTTPS connection to my domain debigare.com that were controlled by my previous hosting provider to mitigate a security issue. To be trusted by browser vendors, a Certificate Authority (CA) is supposed to revoke certificates within 24 hours once the proper conditions are met. In my case, the CA, Sectigo, took more than 5 days to perform the revocation, and were also unreasonably slow in replying to my emails about this.

As such, I sent a violation report to Mozilla's dev-security-policy mailing list to notify them of the issue I encountered. This caused Wayne Taylor, the CA Program Manager at Mozilla, to open an official issue requesting a formal Incident Report from Sectigo about my case.

How Sectigo responded

Sectigo took their sweet time to finally provide the Incident Report - more than 2 months past Mozilla's soft deadline to do so, in fact. Soon after, they have posted a long-term remediation to prevent such incidents from occurring again - an automated service for revocation. Good idea!

However, it took exactly 1 year since the formal Incident Report was requested from Mozilla before they were satisfied with its resolution. And even at that point, Sectigo's resolution portal still was not supporting wildcard certificates like those I had to revoke myself. I actually still have no idea as of this writing if that missing feature has been implemented since or not.

Why did it took so long? Honestly, I'm not sure. What is clear however is that during that period, Sectigo was generally slow to respond to queries, and rarely provided status reports without being requested for one, even for deadlines that Sectigo themselves had set. I counted 5 times in the entire issue thread where a response was requested after abnormal delays.

But even though that issue is officially closed, it is not the end of the story.

Wait, there's more?

So Sectigo was slow to handle my issue with me personally, and Sectigo was also slow to fix its root cause with browser vendors. Turns out, it pretty much looks like Sectigo is just pretty slow in general when it comes to technical support.

Ryan Sleevi, a Staff Software Engineer at Google and peer of the CA Certificates Module for Mozilla, seems to agree. In fact, he opened a new official issue requesting Sectigo to provide a formal Incident Report about being slow to provide Incident Reports. No, really. And my own issue is the first example he provided in the description.

This may sound surprising, but honestly, the whole reason I reported the original incident to Mozilla in the first place was because I was actually hoping for a broader issue like that to be revealed.

In any case, that new issue was created more than 4 months ago, and as of this writing, is still unresolved.

The saga continues...

Related articles I wrote

Playing with an Xbox controller

My Personal Video Game Completion List

- Anecdotes, Video Games

I thought it would be fun to track the long list of video game that I have beaten and/or completed for reference, so I've done just that! There may be a few mistakes here and there due to secret features unknown to me, or due to misremembering details of my past gaming experiences, but I believe the…
Field of CG-rendered disembodied arms pointing at a dark sky at sunrise

Current Generative AIs Have Critical Quality Issues

- Business, Quality Assurance, Security

The hype for generative AI is real. It is now possible for anybody to dynamically generate various types of media that are good enough to be mistaken as real, at least at first glance, either for free or at a low cost. In addition, the seemingly-creative solutions they come up with, and the…
Brandon Dillon's portrait in Hack 'n' Slash

After 8 Years, Double Fine's Hack 'n' Slash Secret Room Has Finally Been Cracked

- Video Games, Security

In the history of obscure video game secrets, not many has been quite infamous as the SecretRoom.lua puzzle in 2014's computer hacking game Hack 'n' Slash by Double Fine. Since the game's release, a mysterious encrypted file was found in the game files, yet despite the very nature of the game being…
Cowboy riding a horse in the sunset

Upgrading Your Cybersecurity from Cowboys to Sheriffs

- Security, Business, Anecdotes

Roaming throughout the countryside, dangerous desperados are awaiting in their hideout for the perfect opportunity to rob their victims in silence. Powerless, the authorities have posted wanted posters on public boards with cash bounties for any information that could lead to their arrest or death…
Radiating business woman

Essential International Standards and Registries for Web Developers

- Programming, Quality Assurance, Security

The following is a collection of free international standards, registries and references that I collected throughout the years while developing websites and web services. These references, while very precise and technical by their nature, are extremely useful in order to ensure that a specific…

See all of my articles