The Slow Certificate Authority

- Anecdotes, Security

Social share image

Last year, I wrote about multiple issues I encountered upon switching web hosts. One of these issues was delay violations from Sectigo (formerly Comodo CA) for revoking old certificates compromising the HTTPS connection to my website. This spawned a saga with Mozilla, the organization behind Firefox, that is interestingly still not fully resolved as of this writing.

How Mozilla got involved

As I mentioned in my previous post, I needed to revoke old certificates validating the HTTPS connection to my domain debigare.com that were controlled by my previous hosting provider to mitigate a security issue. To be trusted by browser vendors, a Certificate Authority (CA) is supposed to revoke certificates within 24 hours once the proper conditions are met. In my case, the CA, Sectigo, took more than 5 days to perform the revocation, and were also unreasonably slow in replying to my emails about this.

As such, I sent a violation report to Mozilla's dev-security-policy mailing list to notify them of the issue I encountered. This caused Wayne Taylor, the CA Program Manager at Mozilla, to open an official issue requesting a formal Incident Report from Sectigo about my case.

How Sectigo responded

Sectigo took their sweet time to finally provide the Incident Report - more than 2 months past Mozilla's soft deadline to do so, in fact. Soon after, they have posted a long-term remediation to prevent such incidents from occurring again - an automated service for revocation. Good idea!

However, it took exactly 1 year since the formal Incident Report was requested from Mozilla before they were satisfied with its resolution. And even at that point, Sectigo's resolution portal still was not supporting wildcard certificates like those I had to revoke myself. I actually still have no idea as of this writing if that missing feature has been implemented since or not.

Why did it took so long? Honestly, I'm not sure. What is clear however is that during that period, Sectigo was generally slow to respond to queries, and rarely provided status reports without being requested for one, even for deadlines that Sectigo themselves had set. I counted 5 times in the entire issue thread where a response was requested after abnormal delays.

But even though that issue is officially closed, it is not the end of the story.

Wait, there's more?

So Sectigo was slow to handle my issue with me personally, and Sectigo was also slow to fix its root cause with browser vendors. Turns out, it pretty much looks like Sectigo is just pretty slow in general when it comes to technical support.

Ryan Sleevi, a Staff Software Engineer at Google and peer of the CA Certificates Module for Mozilla, seems to agree. In fact, he opened a new official issue requesting Sectigo to provide a formal Incident Report about being slow to provide Incident Reports. No, really. And my own issue is the first example he provided in the description.

This may sound surprising, but honestly, the whole reason I reported the original incident to Mozilla in the first place was because I was actually hoping for a broader issue like that to be revealed.

In any case, that new issue was created more than 4 months ago, and as of this writing, is still unresolved.

The saga continues...