Apple, Google, GoDaddy misissued TLS certificates with weak serial numbers

Multiple CAs have misissued over 1.2 million TLS certs with weak 63-bit serial numbers, instead of the standard of 64 bits.
Written by Catalin Cimpanu, Contributor

Major certificate authorities like Apple, Google, and GoDaddy have misissued over 1.2 million TLS certificates that featured an insufficiently long serial number of only 63 bits instead of the industry minimum of 64 bits.

This problem does not pose a direct security threat to internet users today. However, it may lead to a large number of broken sites in the coming weeks as TLS certificates are replaced on the fly.

The error at the heart of this issue came to light on February 24, during a public discussion about accepting a controversial organization (DarkMatter) into Firefox's list of approved certificate authorities (CAs) --organizations allowed to issue TLS certificates to be used to secure HTTPS communications.

During a review of DarkMatter's infrastructure and its past activity, security software engineer Corey Bonnell noticed that the organization had issued 235 TLS certificates that featured a serial number of 63 bits instead of 64.

Scott Rea, one of the DarkMatter Senior Vice Presidents, tracked the issue to EJBCA, a software platform that many CAs are using to automate the process of generating new TLS certificates based on a set of prerequisites (industry standards).

The problem, as he and others later explained, was that TLS certificate serial numbers need to be positive integers. To deal with this issue, EJBCA would sacrifice one of the serial numbers' bits --which would always be zero-- to make sure the serial number would be a positive integer and, hence, be standards compliant.

However, by doing this, the 64-bit serial number would effectively be a 63-bit serial number, halving the protection this serial number would have provided to the TLS certificate as a whole against collision attacks (during which attackers try to create forged TLS certificates with identical signatures).

Who is impacted?

All CAs that used the EJBCA software platform and chose to generate serial numbers with the minimum 64-bit value were impacted. CAs that generated 72-bit or other larger values for the serial numbers were not affected.

Impacted CAs included big names such as Apple, Google, GoDaddy, but also other smaller CA operators as well.

In the weeks-long investigation that followed, Apple found that it had misissued over 878,000 TLS certificates that used a 63-bit serial number instead of the minimum 64-bit. Of these 558,000 were still in use.

Google was less impacted and said it misissued only 100,836 TLS certificates, of which 7,171 were still in use, but 7,137 were set to expire within the next 90 days.

But the misissued certificates weren't actually a huge issue for Apple and Google because these TLS certificates were only used internally at these companies, and they could be replaced by these companies' employees within a few days or weeks.

On the other hand, the issue was a far bigger problem for GoDaddy and its customers, who purchased these weaker TLS certs. The company said it issued 285,936 TLS certificates to its customers, of which 12,152 were still active, while the rest (273,784) appeared to be orphaned and not used on any live site.

All three companies, along with the smaller CAs like SSL.com, are now in the process of revoking these certificates and issuing new ones with a proper serial number length.

While the CA industry's standards say that these misissued certificates will need to be revoked and replaced within five days, GoDaddy will need a lot more than that to notify all customers.

The web hosting company is --for good reasons-- hesitant to nuke over 12,000 certificates on live websites out of the blue, without having site owners notified and take note beforehand.

No immediate security threat

"Does it matter for security? No," Hanno Böck, a cryptographer, security researcher, and journalist said today on Twitter.

"The random serial was introduced to prevent [collision] attacks against broken hash functions (MD5/SHA1)," he said. "We don't use broken hash functions [anymore]. Also 63 bit is still good enough to prevent attacks even if we used broken hashes."

Böck argued that the reason why the CAs should re-issue all the non-complaint certificates is to abide by industry rules. CAs have cut corners in the past, and no errors should be tolerated, even if the mistake doesn't have an immediate impact on the safety of HTTPS connections.

UPDATE [March 15]: A GoDaddy spokesperson told ZDNet today that following an investigation into their infrastructure they have now concluded that the company has not misissued any TLS certificates with weak 63-bit serial numbers.

Cloud computing trends, where developers want to live, AI skills, and 5G: Research round-up

Related cyber-security coverage:

Editorial standards