Once again, Microsoft Corp. has revoked a collection of what once were VeriSign Inc.’s digital certificates, another sign of how fragile that foundational digital ecosystem is.

The action was confirmed by security firm Airlock Digital in a blog post last week, after it received customer complaints that certificates using VeriSign’s Class 3 Public Primary Certification Authority G5 Root Certificate were showing up as invalid on their digital trust platform. This root is “responsible for a significant number of issued digital certificates globally” between 2006 and 2018, they wrote. While Verisign’s name is on the certificates, the company left that business in 2010 when it was purchased by Symantec.

The root certificate sits at the top of a trust chain and is used to issue numerous individual certificates that are used by all sorts of applications as well as installed across endpoint operating systems. Certificates are also used by web servers and browsers to encrypt data sent back and forth between them using Secure Sockets Layer protocols, signified by the “https” that begins most webpages’ URLs. Revoking this trust causes all sorts of digital havoc and will require applications, endpoints and browsers to be revised to include a new and trusted certificate.

Airlock engineers also wrote that Microsoft was supposed to remove this particular root certificate from the trusted database back in 2019, but for some reason this wasn’t done until last week. That’s what supposedly caused the failures picked up by Airlock customers.

Revocation history

This isn’t the first time that digital certificates have been pulled by either VeriSign, Microsoft or both companies. Similar problems happened in 2001, 2010 and in 2018.

In 2001, VeriSign mistakenly issued certificates to an imposter posing as a Microsoft employee and had to revoke them.

The 2010 event was when VeriSign revoked a root certificate that was used to sign the Stuxnet malware that was developed by U.S. and Israeli intelligence agencies to disable the Iranian nuclear centrifuge plant at Natanz. Having a valid certificate was one of a set of advanced features that made the malware operate. The process of hiding malware with a valid certificate is widely used by criminals too.

In 2018, Google and other browser vendors revoked Verisign certificates. This happened when Symantec sold its certificate business to DigiCert. A DigiCert representative confirmed with SiliconANGLE that the G5 Root was part of these legacy Symantec/VeriSign certificates.

“DigiCert carefully constructed a migration plan and worked with root store operators and customers and partners to ensure a successful transition,” the company said. “As part of this work, several legacy roots were set to be disabled by the root store operators but not revoked to maintain backward compatibility. Recently, Microsoft made a change that affected valid signatures. Our understanding is that the situation has been remedied by Microsoft.”

The event illustrates the fragility of the digital certificate infrastructure and is also one of the reasons that the U.S. National Institute of Standards and Technology is thinking ahead. Earlier this summer it announced progress toward new standards that would be more difficult to forge with quantum computers.

NIST wrote in that blog that “a sufficiently capable quantum computer could quickly solve and then defeat our current encryption systems,” hence the need for newer and more complex algorithms for public key encryption routines and digital signatures. NIST has posted the algorithms on its website.

The new standards have been under development for several years now, but are still not quite ready for implementation. Nonetheless, DigiCert Chief Executive Amit Sinha told SiliconANGLE that this is a significant milestone “that kicks off the internet’s largest security transition. Now is the time for organizations to build a centralized book of record of their cryptographic assets and be in a position to adopt these algorithms as they are made available for use.”

Image: Tumisu/Pixabay