Slashdot Mirror
GlobalSign Error Causes Widespread Internet Issues (theregister.co.uk)
An anonymous reader writes: GlobalSign, one of the root CAs globally, has 'inadvertently revoked its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified sites' SSL/TLS certificates. It could take days to fix, leaving folks unable to easily read their favorite webpages.' The issue may take up to four days to resolve itself.Two hours ago, GlobalSign said it was able to identify the problem, but due to caching issues, many of its customers were still experiencing issues.
Experiencing the outage at work, thank god I can still get to slashdot!!
Was getting this error last night. Crapdot, yesterday's news tomorrow!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Just the NSA inserting themselves into another certificate system. Carry on.
This is what I got in my inbox at 11:56 PST
Dear Valued GlobalSign Customer,
In follow up to our earlier email communication describing the issue you are experiencing with your GlobalSign certificates, our engineering and support staff have put together a troubleshooting guide that will help you resolve the certificate revocation error. We will continue to update this troubleshooting guide as new updates are added.
OCSP Revocation errors - troubleshooting guide: https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-errors---troubleshooting-guide
If you continue to have issues, we welcome you to open a support ticket here: https://support.globalsign.com/customer/portal/emails/new
Thank you as we continue to work to resolve this issue. We will communicate additional updates with you.
Lila Kee
Chief Product Officer
GMO GlobalSign
US +1 603-570-7060 | UK +44 1622 766 766 | EU +32 16 89 1900
www.globalsign.com/en
This happened to me when trying to read the previous article on theguardian. With Chrome I didn't see an easy way to get around it. I am sure there is a way in the settings, but who bothers with trying to figure that out.
It turns out that when you're facing east, north is actually on your right. Why did it take so long for people to discover such a fundamental global sign error?
Facebook once forgot to renew some certificate on one of its user tracking systems. For about half a day I could not go anywhere on the internet with the exception of a few really ancient pages written in archaic HTML without getting at least three nag-windows complaining about an expired Facebook SSL certificate.
"unable to easily read their favorite webpages"
Oh, that's allright then.
I pity the sysadmins working overtime tonight.
All I see lately are tremendous screwups in of this security threatre bs that slows things down and secures squat! They "fix" it, it creates more issues (like Secure Sockets libs changing function return value types creating havoc for apps that used older versions etc.).
On the positive side, at least this shows that some CRL and OCSP servers are actually responding and that browsers are using them. That's good news. Oftentimes those damn servers don't respond.
and it was a backwater gaming site I was browsing during lunch. Other than that every web site still seems solid.
Caching can be a PITA. Our org's default PDF viewer caches pages, and we constantly get complaints about users seeing outdated info. It doesn't respect the usual conventions of "no-cache" meta tags and even F5. Adding a random URL parameter sometimes works, sometimes not.
Isn't caching also a security risk? If you discover bad content, such as malicious embedded JavaScript, you'd want it replaced immediate with the good version when available.
Table-ized A.I.
The irony this shows up. I uninstalled AVG today after essentially being spammed by them. Decided to switch to avast. Apparnetly it is doing such a good job that it is protecting me from fake stuff that wasn't being blocked prior.
I of course disabled avast for a minute to load theguardian but it's kind of nice to know it did in fact work. BBC also gets a complaint but still loads readable content.
I use mozzila so many its not as good about these things as a Chrome, which I only if I absolutely cannot get a page to work in mozilla with no script. 9/10 most sites work fine but occasionally some "fancy" script won't work at all and I end up doing it in Chrome.
We should change how the system works. Something based around the blockchain maybe totally independent of Microsoft, Apple, Google, and your ISP. Ideally we would want everyone to adopt it so maybe bundling a small underlying component with Firefox would be a good start once the technology was sufficiently developed and able to scale. Then you could register domain names, and they'd expire if you didn't reaffirm them before a certain point. At first when they'd expire they'd stop working, but you could re-secure them. Then if you didn't after 3 months they'd fall into a state where anybody could secure them. Then utilizing BitCoin you could buy/sell the domains. But it would probably be good to have lots of domain extensions coming online developed into the protocol similar to BitCoins. This way cheap domains could be acquired and people wouldn't be beholden to those with the best domain names. 2015 Q1 .xy comes online and people can start registering, 2015 Q2 .xz comes online and people can start registering. 2015 Q3 .zi and .ni come online and people can start registering. Or it could be based on the number of names registered. That might be better.
Unmark check for certifikat revocation on internet Explorer setting, Then it Works.
Clearly an NSA test.
For the last week I've been getting NAG popups on Slashdot relating to improperly named and/or dated cert's from ADS served up. The related name is optim something or other and was generally date related. I finally turned on AD blocking to stop the recursive, very intrusive pop-ups. If this continues I'll just leave the AD blocker up and to hell with supporting /. The quality of ads has taken a severe downturn here and the continued auto play ads are really beginning to annoy. As much better as the place was getting under the 'new' management it seems to lost ground again recently. Just as a side note doesn't logging in posting, moderating and meta-moderating on a regular basis make me a fan of Slashdot ? Why the hell would ANYONE want to follow this crap on Facebook ?
errr....umm...*whooosh* *whoosh* Is this thing on ?
is it possible that they were coerced to do this? Can anyone benefit from this, and if so, who and how?
Well you've got me there, because I totally claimed that it did. Oh hang on, I didn't.
One, I live on the 3rd floor. Two - 12 hours behind - that's more olds than news. Slight hint there, if you'd bothered to read the whole post. Did your finger get tired, ChrisMaple?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
To discover the headline was "(Global Sign) Error..." and not "Global (Sign Error)..."
Globalsign being an American company, do they owe anyone money?
For resolve this problem, you need use another root and intermediate SSL certificate : https://www.certificat-ssl.info/actualite-ssl/13-10-2016-erreur-revocation-globalsign