tl;dr: Don't forget to reissue your new SSL certificate after you revoke your old one.
I tried to connect to https://kutv.com but Chrome 35 was displeased. Apparently the website's SSL certificate has been revoked, and once that happens ye shall not pass:
 |
| I wanted KUTV.com, why is sbgnet.com showing up? |
Firefox 30.0:
Internet Explorer 11:
 |
| More information is not useful information. |
Opera 12.17 initially warns us that the presented certificate doesn't match the requested website:
 |
| With a name mismatch it will still allow you to proceed to the website. |
After a few seconds delay caused by Opera checking on the validity of the certificate, it changes to this screen:
Apparently the website's SSL certificate has been revoked, and if these browsers are to be believed then ugly, horrible, unspeakable things will happen to me and my precious data if I were to somehow connect to this highly suspicious website. Deconstructing the different ways each of the popular browsers react to security incidents such as this would make a great article, but that's too big a subject to tackle right now.
It's nice that Firefox told me the real reason for the failure, but it doesn't let me see the certificate's technical details. At least it suggests you notify the website's owners of the problem. The Try Again button is pretty useless in the scenario, unless the website admin just happens to put the new cert in place in the few seconds you spend reading Firefox's error message.
IE tells you the problem but not much else. It doesn't let you see the cert, and although it "recommends" that you not continue to the website there's no way to actually bypass that recommendation. That's a good thing the majority of the time but the wording should be improved.
Opera at first didn't like the mismatch between the website's name and the name on the certificate, which is a good thing to warn about, but once it figured out that the cert was revoked it quickly stepped in to keep me from connecting. It's error message is the best of the bunch, but it doesn't let me get any more details about what's going on.
Chrome ended up being the most useful option only because it lets us see the details of the revoked certificate. The warning text it provided was rather non-specific about the cause of the error and actually misleading in its recommended actions. Reloading the page or switching to a new network will do nothing to solve the problem.
On a side note, Chrome doesn't implement OCSP and Adam Langley from Google provides some interesting explanation and background about that decision.
To see the certificate's information, we need to click on the unhappy lock icon in Chrome's address bar:
 |
| There's that sbgnet.com domain again. |
 |
| That serial number should be useful. |
 |
| The certificate is OK? Um... |
Let's double-check this whole revocation thing. KUTV.com's certificate was issued by Entrust. Entrust has a Certificate Revocation List search on their website, provided you know the cert's hex serial number (thanks, Chrome!).
Superseded = the certificate was revoked because a new certificate was issued. Why was a new certificate issued? Was sbgnet.com breached? Did they lose the password that protects their private key? What else might have happened in the weeks prior to April 23 that would cause them to revoke an otherwise perfectly fine SSL certificate?
 |
| April 7, never forget! |
According to KUTV, the "Heartland Virus" is serious business:
I won't go into the many inaccuracies of this news bite. Let's just say it would be highly beneficial to have someone from the IT department review IT-related news before it's published. Also, notice the publication date? Hmmm...
Back to the name mismatch. Why is sbgnet.com showing up in the certificate for KUTV.com? Because KUTV is owned by Sinclair Broadcast Group, of course! What else does SBG own?
How exciting! Assuming they have one website for each station, that would make a fair number of SSL certificates to manage. That's not unheard of and there are ways to do it. But I can see someone in charge saying "Wouldn't it be easier if we just used one SSL certificate for all of our stations' websites? Sure it would! Less work and lower expenses for everyone, what's not to like?"
Well, when your certificate stops working, it breaks secure communication with 100+ websites. And if your viewers want to securely connect to your website, if you're using a cert issued to *.sbgnet.comthen all of the popular browsers will throw up a warning screen because the cert doesn't match the requested website. For example, try connecting to https://www.wfxl.com/ to see how your browser handles a name mismatch.
Conclusion
Forgetting to deploy your website's new SSL certificate after revoking your old cert is usually a pretty bad fail. What's sad is that the cert was revoked on April 23, and two months later it still hasn't been fixed even though it's affecting a large number of websites.
Maybe no one ever connects to them using HTTPS so it's gone unreported. Maybe someone at Sinclair left for lunch halfway through the revocation and reissue process and got sidetracked by something way more interesting when they came back. Maybe it's intentional that the new cert hasn't been deployed yet - I can think of a number of administrative reasons that would delay the purchase and implementation of an IT asset.
Even if the delay is intentional and SBG is aware of the problem, a new cert with a name mismatch won't do much to help the average web visitor if their browser still tells them not to proceed. Then again, since the current cert wasn't issued to KUTV.com and since it's been over two months since the old cert was revoked, it appears that the web admins at Sinclair are not inclined to provide their viewers with error-free encrypted access to their stations' websites.
Still, no matter the reason, it's worth an attempt to make them aware of the problem. "Encrypt all the things!" is where the Internet is headed, KUTV and SBG should get their act together and join in the fun.
E-mails sent to KUTV's and SBG's webmaster e-mail addresses.
No comments:
Post a Comment
Relevant comments will be approved as soon as possible.
Thank you for contributing!