Slashdot Mirror
GlobalSign Error Causes Widespread Internet Issues (theregister.co.uk)
An anonymous reader writes: GlobalSign, one of the root CAs globally, has 'inadvertently revoked its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified sites' SSL/TLS certificates. It could take days to fix, leaving folks unable to easily read their favorite webpages.' The issue may take up to four days to resolve itself.Two hours ago, GlobalSign said it was able to identify the problem, but due to caching issues, many of its customers were still experiencing issues.
Just the NSA inserting themselves into another certificate system. Carry on.
This is what I got in my inbox at 11:56 PST
Dear Valued GlobalSign Customer,
In follow up to our earlier email communication describing the issue you are experiencing with your GlobalSign certificates, our engineering and support staff have put together a troubleshooting guide that will help you resolve the certificate revocation error. We will continue to update this troubleshooting guide as new updates are added.
OCSP Revocation errors - troubleshooting guide: https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-errors---troubleshooting-guide
If you continue to have issues, we welcome you to open a support ticket here: https://support.globalsign.com/customer/portal/emails/new
Thank you as we continue to work to resolve this issue. We will communicate additional updates with you.
Lila Kee
Chief Product Officer
GMO GlobalSign
US +1 603-570-7060 | UK +44 1622 766 766 | EU +32 16 89 1900
www.globalsign.com/en
This happened to me when trying to read the previous article on theguardian. With Chrome I didn't see an easy way to get around it. I am sure there is a way in the settings, but who bothers with trying to figure that out.
It turns out that when you're facing east, north is actually on your right. Why did it take so long for people to discover such a fundamental global sign error?
Facebook once forgot to renew some certificate on one of its user tracking systems. For about half a day I could not go anywhere on the internet with the exception of a few really ancient pages written in archaic HTML without getting at least three nag-windows complaining about an expired Facebook SSL certificate.
"unable to easily read their favorite webpages"
Oh, that's allright then.
I pity the sysadmins working overtime tonight.
On the positive side, at least this shows that some CRL and OCSP servers are actually responding and that browsers are using them. That's good news. Oftentimes those damn servers don't respond.
Caching can be a PITA. Our org's default PDF viewer caches pages, and we constantly get complaints about users seeing outdated info. It doesn't respect the usual conventions of "no-cache" meta tags and even F5. Adding a random URL parameter sometimes works, sometimes not.
Isn't caching also a security risk? If you discover bad content, such as malicious embedded JavaScript, you'd want it replaced immediate with the good version when available.
Table-ized A.I.
arstechnica kept screwing up for me earlier in the day
have you seen my sig? there are many others like it but none that are the same
arstechnica was giving me hell all day. it would work, then it wouldnt. not sure if related but its not usual i have issues with ars
have you seen my sig? there are many others like it but none that are the same
For the last week I've been getting NAG popups on Slashdot relating to improperly named and/or dated cert's from ADS served up. The related name is optim something or other and was generally date related. I finally turned on AD blocking to stop the recursive, very intrusive pop-ups. If this continues I'll just leave the AD blocker up and to hell with supporting /. The quality of ads has taken a severe downturn here and the continued auto play ads are really beginning to annoy. As much better as the place was getting under the 'new' management it seems to lost ground again recently. Just as a side note doesn't logging in posting, moderating and meta-moderating on a regular basis make me a fan of Slashdot ? Why the hell would ANYONE want to follow this crap on Facebook ?
errr....umm...*whooosh* *whoosh* Is this thing on ?
We need DNSSEC and DANE. Let people get and offer multiple DANE records for multiple CA's so when one of them fucks up (like this, or they get untrusted for acting like typical CA's do these days) the client can follow the other chain.
Browsers can have a quality meter that shows how good the trust metric is - a few sigs for a cert would increase the score, absent other metrics.
When the DNSSEC root gets a 2048-bit signature in the next year, we'll see adoption start to creep up. We do have all the tech now to solve these problems - deployment is the current issue.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
To discover the headline was "(Global Sign) Error..." and not "Global (Sign Error)..."
Globalsign being an American company, do they owe anyone money?
Gee. You don't think that it could be possible that doing computer security even adequately is beyond what people are capable of actually doing? Golly, that might mean that e-commerce is doomed and that all computers are really good for is research and entertainment.
That might put a kink in some folks plans to promote the cloud into a vehicle that will enrich them beyond all belief.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
No we don't.