In this article:
In the days following September 30, 2021, the security certificate of a service related to the secure encryption of data expired.
The Let’s Encrypt IdentTrust DST Root CA X3 certificate is embedded in many services necessary to connect systems and servers in the cloud. Any device connected to the internet includes a “Certificate Store” that lets them know which certificates are allowed. Let’s Encrypt certificates are the most popular ones worldwide, making them widely common among Certificate Stores.
When a request by a device with an expired security certificate is made, the request will most likely be denied, affecting the chain of access to services.
Over the weekend, companies including Google, Cisco, Microsoft Azure, Shopify and Cloudflare were affected. Even online games like Rocket League, and users of old gaming consoles like PlayStation 3 ran into these issues. Unfortunately we, Nephila Web, were also affected by this.
The certificate authority, Let’s Encrypt, is a non-profit organization devoted to secure data transmission, managed by the Internet Security Research Group, and supported by the Linux Foundation. They alerted about the expiration date in previous weeks. Since the date went into effect, starting on Friday and over the weekend, we’ve been currently monitoring any issues in the “Chain of Trust” and affectations to our users.
The explosion of the cloud, and the prominence of a vast ecosystem of online services integrated to one another, have increased the importance of security certificates and the Chain of Trust, which is the name of the network of systems involved in the secure transmission of data between devices, and between servers and end users. Furthermore, The ecosystem of web services providers, hardware manufacturers and other key players continuously work and advocate for safer data security standards, such as the global implementation of HTTPS.
Most modern devices (laptops, tablets and smartphones) are safe from running into any issues. The situation is affecting older devices primarily. Issues can also occur by users of third-party systems that are not properly updated, usually due to not being accounted for by the IT provider.
How is Nephila Web working on this?
We continue to monitor the situation, evaluate the status of our technology and services providers, and tend reports and queries by our clients.
Most issues where we can perform the certificate update correctly have been resolved already. In other cases, the update depends on third parties. If the situation is unresolved promptly, measures we can take include the development of alternative Chains of Trust where we can access services through devices with up-to-date certificates, and can include those in a system-wide Certificate Inventory.
The concept of Certificate Inventory will be, going forward, part of our standard practice to prevent this type of issue from happening again, or to prevent its consequences to the best of our ability.
Given that this issue is localized and understood, some have argued that in the meantime, developers and admins create special circumstances that allow expired certificates. As Nephila Web, we are strongly against this idea, as it might open the door to more dangerous security flaws.
What should I expect as a Nephila Web customer?
We continue to monitor, address, and work closely with impacted customers. As a Nephila Web client, if anyone in your community is having any issue accessing any services, please get in touch with us for help, support and guidance.
You are also encourage to report to us any third-party service integrated or used in conjunction with our solutions, such as an API or WebService. You may also notify us if you have a significant number of users with old devices (2-3 years old or older).
We expect this issue to be affecting only a small number of clients and users, and to have a complete resolution in the coming days.
I want to know more: How do certificates work, and why are they important?
On the web, the use of certificates serves a few important purposes:
- It gives an “identity” to the device that makes a request.
- It allows the receiving device or server to demand this identity.
- Upon validation, the receiver notifies the browser whether the connection is safe.
- If the certificate is valid, requests are accepted and secure data is provided as an answer. The certificate also plays a role in ensuring the proper encryption of secure data.
- The browser passes secure data unencrypted (so a human can use it) to the device that made the request, once the certificate has been deemed valid.
In short, according to Kaspersky, a certificate plays important roles in keeping data secure, verifying identities, preventing unauthorized access to information and “conveying trust.”
Security certificates and software require regular updates to remain safe, compliant and efficient. When an old device or software stops getting updates, the list of certificates it can accept also stops updating. They may not recognize the presence of newer certificates and block any requests made from existing, known certificates that became expired.
If you want to learn more:
- DST Root CA X3 Certificate Documentation
DST Root CA X3 Expiration (September 2021) — Let’s Encrypt
- Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires — ZDNet
- Chain of Trust — Let’s Encrypt
- Internet goes down for millions, tech companies scramble as key encryption service expires — Yahoo! News