Questa mattina per circa un'ora abbiamo avuto un problema di accesso a causa della errata revoca del certificato di sicurezza da parte di Digicert. Ora è tutto a posto ed abbiamo un nuovo certificato anche se in contemporanea ci hanno riattivato anche il vecchio (quindi casini doppi). Ecco a voi l'elenco delle email ricevute:
Zane Lucas at Trustico (your hosting company broker from whom you obtained a website security certificate) reported the private key associated with your website certificate as compromised today. As a consequence, we are obligated by CA Browser Forum requirements to revoke your certificate within 24 hours. Revocation will lead to the immediate termination of your certificate’s functionality. If your certificate is currently active on your site, revocation will cause users to see an untrusted certificate warning.
We do not understand why Trustico reported the keys as compromised or triggered the revocation of your certificate. However, we wanted to give you the courtesy of notifying you that your certificate would be revoked."
naturalmente poi è arrivata anche questa da parte di symantec/digicert:
"Earlier today, you received a notice that your SSL certificate, which you purchased from Trustico, would be revoked by DigiCert. We understand this may have created some confusion, so we are contacting you with more detail about why this happened and what you can do to get a new, free replacement certificate.
Trustico’s CEO asked us to revoke your certificate, saying the certificate was compromised. Trustico did not provide proof of compromise, so we suggested a couple of ways to demonstrate that by either confirming control over the private key or confirming the domain holder’s confirmation of the revocation request. Trustico told us that they held the private keys. We asked them to confirm this. When they sent the private keys, it immediately initiated a 24-hour period for revocation of your certificate, and thousands of others, as required by the CA/Browser Forum Baseline Requirements. We don't know why or how Trustico had the private key to your certificate, yet once it was emailed to us your certificate was compromised.
To be clear: the compromise occurred when Trustico, the company from which you purchased the certificate, sent DigiCert, the Certificate Authority, your private key. This revocation is not related to the upcoming Google Chrome distrust of Symantec-issued certificates; we have been and will continue to work diligently to reissue those affected certificates and ensure that our customers avoid any disruption.
We know this is an unfortunate situation and has been an inconvenience. To help, we would like to offer you a free one-year certificate to replace the revoked certificate. The certificate we will provide comes directly from DigiCert, not a third party, and is secure. This will enable you to immediately restore the encryption to your web site and/or domain.
Please click on the link below to get your free certificate. Please be aware that your certificate will be revoked tonight at 11:00 p.m. Pacific Time, so we recommend that you order and install your replacement certificate as soon as possible. "
Alla quale è seguita questa da parte di trustico:
Today many of our customers are experiencing lengthy delays when attempting to contact us via phone, e-mail and live chat. The reason for the delays was due to an unexpected e-mail that DigiCert sent to our customers containing some inaccurate information. We were not informed that the e-mail would be sent and was caught by surprise.
I sincerely apologise to our customers and partners that have been affected.
We didn't authorise DigiCert to contact our customers and we didn't approve the content of their e-mail. At no time had any private keys been compromised.
We can't go into specific details right now - though we believe the orders placed via our Symantec account were at risk and were poorly managed. In good conscience we decided it wasn't ideal to have any active SSL Certificates on the Symantec systems, nor any that didn't meet our stringent security requirements. Our concerns also relate to the upcoming distrust of all Symantec SSL Certificate brands within Google Chrome - meaning that your SSL Certificate will fail to be trusted in Chrome.
We implemented a system to ensure that all customers would receive a replacement SSL Certificate, though today it had failed to perform this function.
In our view it is absolutely critical that an SSL Certificate performs its intended function. In accordance with CAB Forum guidelines we acted to immediately revoke active SSL Certificates whereby trust was questionable.
We realize that this mass revocation is bothersome and time consuming for you. We're working to contact all customers to get orders replaced as priority and working through a backlog of enquiries. We've sent replacement coupon codes to all of our customers and we urge every customer to immediately replace any affected SSL Certificates.
Unfortunately things didn't go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We were relying on systems that would easily replace and issue your SSL Certificates automatically, though that didn't occur.
We'll be following up again shortly with an update surrounding what occurred and more information about where we experienced failures. In the meantime, our staff are concentrating on getting your SSL Certificates issued as quickly as possible. "
Nulla impedira` al sole di sorgere ancora, nemmeno la notte piu buia, perche` dietro alla nera cortina della notte c’e` un’alba che ci aspetta