Incorrect URL in the certificate: CERT-Bund website unavailable at the weekend
Many browsers rejected the connection due to a revoked certificate. Curious reason: an "s" was missing in a certificate extension.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Anyone who wanted to visit the warning and information service (WID) of CERT-Bund (Computer Emergency Response Team Bund) between the evening of January 3, 2025 and midday on Monday, January 6, was often prevented from doing so by their browser. The certification authority had withdrawn the certificate of the service operated by BSI and Telekom Security. The reason: two "http" URLs – were hidden in a special certificate extension, which did not comply with the rules.
The extension called "qcStatements" contains the URLs of the "PKI Disclosure Statements", in the case of the D-Trust CA an approximately thirty-page PDF with contact addresses, workflows and relevant rules. The extension is not mandatory for normal TLS website certificates – but it is for QWACs, i.e. qualified website authentication certificates. And the CERT-Bund service held one of these. However, the issuing guidelines for QWACs stipulate that the disclosure statements should only be recorded via HTTPS. And so a missing "https" in the certificate led to faulty HTTPS connections on the CERT-Bund website.
Replacement of the certificates
D-Trust discovered the breach at midday on New Year's Eve. On New Year's Day, the CA then decided to withdraw and reissue 25 certificates for a total of around 60 hostnames. As a spokesperson for Bundesdruckerei, the operator of the D-Trust service, told heise security, replacement certificates were ready by midday on January 3 and the affected customers had been informed.
Videos by heise
The Bundesdruckerei spokesperson did not want to comment on why it still took another two days before the CERT-Bund websites were available again, and only the operators can seriously assess the effects of the weekend without certificates.
The Federal Chamber of Notaries and some subdomains of the "Governikus eID Service" also received new certificates on January 3 and installed them on the same day. Their users are unlikely to have noticed the exchange.
Certification authorities that violate the guidelines for creating certificates are usually soon counted by those responsible for the "Mozilla CA Program", the Chrome team or other participants in the CA/Browser Forum, an association of CAs and browser manufacturers. Anyone who commits too many offenses risks having their certificates removed from the browsers and thus from the market. The often short deadlines of just a few days to rectify breaches of the rules have already had legal consequences for one CA in 2024. Such faux pas cannot be swept under the carpet anyway: thanks to Certificate Transparency, every certificate ends up in an eternal database.
(cku)
