GlobalSign Revocation Issues - October 13th
We've become aware of a global issue relating to GlobalSign - a global root certificate authority who issue SSL certificates to millions of websites, including our own. This issue is presently affecting access to secure websites for thousands of internet users around the world (although others are able to access as normal without issue).
Our servers also utilize SSL certificates issued by GlobalSign, and we've received a small number of isolated reports from customers who are currently encountering certificate errors whilst trying to access our main website or their cloud-hosted MIDAS systems.
It's important to stress that this is not specifically a MIDAS issue (as this is potentially affecting millions of websites), and there are currently no issues with the SSL certificates for *.mid.as domains themselves. These certificates are valid until June 2018 and have not been revoked. The issue is at GlobalSign and relates to their "intermediate" certificates.
If you're concerned about the validity of the SSL certificate for our main website, or your mid.as subdomain, you can independently verify the validity of our current certificates at https://www.ssllabs.com/ssltest/
Here's what GlobalSign initially tweeted about their issue:
We are currently experiencing issues with our OCSP which is causing certificate warning messages. We aim to fix this as soon as possible.— GlobalSign (@globalsign) October 13, 2016
UPDATE: we've identified the problem but due to caching issues, many of our customers are still experiencing issues. pic.twitter.com/qk0dD3jZ5q— GlobalSign (@globalsign) 13 October 2016
In simple terms, GlobalSign inadvertently revoked their intermediary certificates while updating a special cross-certificate. This broke the chain of trust and ultimately nullified SSL/TLS certificates issued by GlobalSign to its customers. The result is that many internet users are currently unable to access secure websites which utilize GlobalSign certificates, as their browsers show certificate revocation warnings and errors.
GlobalSign have since corrected their mistake, however due to the way that these certificates are "cached", GlobalSign estimate that it could take "up to 4 days" for the issue to fully resolve itself!
The good news is that GlobalSign have provided guidance of how you can clear the CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) caches on your local computer, which may help restore your access to affected sites & your hosted MIDAS system quicker. (You may need to reboot your computer after following the above guidance)