Africa Cybersecurity Mag website inaccessible: Fault, bug or human error?

During the past week, many Africa Cybersecurity Mag subscribers alerted us to the fact that our website was inaccessible. And for good reason, an error in the ssl certificate which would have expired without the team realizing it. The consequence was:

bug-ssl-acm

“Weird thing for a team of very alert cybersecurity specialists anyway.” And even more with a certificate supposed to expire on January 17, 2021 at 00:59:59 .

What happened ?

In fact, over the past few days, major problems have appeared with the ssl root certificates provided by Sectigo, causing errors on several websites that have their root certificate at home. This is not done systematically in one day but radically over several weeks. This resulted in a domino effect that is still going on today. To put it simply, if you are a victim, it is not your certificate that has expired, but a change at the root that has taken place without you being informed. This is what happened with Africa Cybersecurity Mag.

Explanation: How SSL certificates are used by various applications and therefore who allowed this error?

Indeed, each time an application (for example, a browser) contacts a web service via the SSL/TLS protocol, the web service provides a set of SSL certificates to the application. The application then verifies that they have been issued for the service the application is accessing, that the expiration date of the certificates has not passed, and that the certificates have been signed by a trusted certificate authority.

In order to verify these, the application tries to link the provided certificates to one of the certificates contained in its trusted storage. This trusted storage is distributed either with the operating system, the runtime system, the browser or the application itself. If all checks pass, the application continues to communicate using the secure protocol. Otherwise, the application terminates the connection or informs the user of potential security threats.

Sectigo's Addtrust External CA root was valid for 20 years until May 30, 2020 and was considered an inheritance. Using cross-certification, the CA issued a pair of new root certificates in 2010, which are valid until 2038, to replace the old root. The new root certificates were distributed via security updates for the majority of software applications using the SSL/TLS protocol in mid-2015.

Sectigo-Certificate-Chain-Diagram

 

In easy English for non-technical : Sectigo controls a root certificate called AddTrust External CA Root, which was used to create cross-certificates with Sectigo's modern root certificates, the COMODO RSA certificate authority and the USERTrust RSA certificate authority (as well as ECC versions of these roots). These roots do not expire until 2038.

An older browser or device that doesn't have the modern "USERTRust" root wouldn't trust it and would therefore look higher in the chain for a root it trusts, the AddTrust External CA root. A more modern browser would have the USERTrust root already installed and trust it without needing to rely on the older AddTrust root. (see picture)

What is a root certificate?

Root certificates are self-signed certificates. This means that the "sender" and the "subject" are the same. A root certificate becomes a trusted root certificate (or trusted CA, or trusted anchor) because it is included by default in the "trust store" of software such as a browser or an operating system .

These "trust stores" are frequently updated by the browser software or the operating system, often as part of security updates, however on older, obsolete platforms, they were often only updated in as part of a comprehensive software update - such as Windows Service Packs or optional Windows Update releases.

Why were we not informed in time by our host then?

They also did not expect this change in the root certificate to have any impact on users because an automatic update is supposed to be done by the browser. Even if an expiring root certificate is installed on the server, the new roots are already included in the trust store of modern browsers and operating systems. And so when an end user accesses the website, the certificate trust chain will be built from the new root certificates.

How to fix the error if I am a victim?

What better than an official source here

It is therefore basically a computer bug related to the root certificate of Sectigo that we do not control. We therefore provide through this article, a rational explanation for the problem that has arisen. We also take this opportunity to apologize to the various subscribers who did not access our website during this period.

Source : NamecheapTeam

Team Africa Cybersecurity Mag