Table of contents
How do security certificates work?
To understand why access to a site or service cannot be achieved if the certificate is not valid, one must first understand what a security certificate is and how it functions.
The certificate is nothing more than a file on the computer or the server that allows it to be used for transmitting encrypted data through connections and makes them in this way sicure.
Every certificate, in turn, is valid and usable only if all these conditions are valid simultaneously:
- Has not passed its expiration date
- Does it have a certificate that guarantees it or is it one of the Root Certificates?
If any of these points is missing, the certificate is no longer considered valid and the systems consider it dangerous.
Given this, there are still two other types of certificates:
- The simple certificates, which only allow the creation of secure connections
- The advanced certificates, which allow the creation of simple certificates (and it is also sometimes possible to generate other advanced certificates) and secure connections that use the certificate in question.
So if my certificate has been generated, it also has a “chain” of certificates that make it valid. And these obviously have to all be valid in order for mine to be as well.
At the end of this chain are the root certificates, which are present in all “machines” that connect to the network (pc, tablet, cellular phones, smart devices, …). These latter certificates are then used to verify the website’s security certificate. If even a single comma does not return, it is marked as invalid and, of course, as dangerous.
Hosting 4 Agency manages all your deadlines: hosting renewal, plugins, certificates and software and legal updates. We are the perfect partner for agencies! Contact us for a free trial of our services.
Security certificate: could the issue be Let’s Encrypt?
The majority of certificates that have turned out to be invalid for devices with issues have been Let’s Encrypt certificates.
This means that the company is unreliable and issues certificates too lightly? No, on the contrary.
Tutto questo nasce proprio dalla stabilità e dalle garanzie che hanno voluto dare da subito come ditta.
When they began to operate as authority for the certificates, they were not recognized by anyone. They needed one or more of the previous authorities (directly or indirectly through certificates) to recognize them as valid and reliable.
For this reason and to be able to issue immediately valid and reliable certificates, they have “counter-signed” the certificates. This means that, in addition to being valid because generated with the root certificate ISRG Root X1 (at the time little used due to its particular newness), they also have a “counter verification” with an older certificate (and at the time of Let’s Encrypt’s foundation still valid) DST Root CA X3.
Therefore, the Let’s Encrypt certificates took hold very quickly, both for the necessity of implementing https as soon as possible, and for the economic factor (even though they last a maximum of three months, the certificates are free).
Attention, however, to the following aspect. Since Let’s Encrypt starts generating certificates, these are considered valid only if they have all these characteristics:
- If the device is not updated use the DST Root CA X3 certificate for verification
- If the device is up-to-date use for verification the ISRG Root X1 certificate
This has meant that Let’s Encrypt issued the certificates without issues fino alla scadenza dell’vecchio certificato ISRG Root X1 that, expiring, had to be abandoned accordingly.
What happened with the expiration of the ISRG Root X1 certificate?
Arrives therefore the expiration date of the ISRG Root X1 certificate and all updated devices have had no issues. However, things have gone differently than experts predicted, so it has been discovered that many people (many more than expected) use unupdated devices to go online and, consequently, did not have the new root certificates.
I clarify right away one thing: many of these devices are not old machines without support simply because they are old or because they cannot handle the update due to hardware issues or insufficient hardware. They are machines where updates have been stopped or have not been done at all.
Obviously, in addition to the certificates generated with Let’s Encrypt, a series of other certificates dependent on ISRG Root X1 have expired and were recreated shortly thereafter using other root certificates.
Was it predictable? Was it avoidable?
Era previsto che ci sarebbero stati problemi con i root certificates. I tecnici stavano lavorando da mesi per rendere il più “indolore” possibile la scadenza dei certificati, ma non era evitabile in quanto:
- Even with certificates from other companies (which issue free or paid certificates), it is enough that the chain of certificates includes an expired root certificate or ones generated by it
- A certificate expiration date must be far enough from creation to be useful but close enough to avoid security issues
- It cannot be avoided that clients are not updated or at least not aligned with the latest good security practices.
Expired security certificate: what are the possible remedies?
Given what has happened, is there anything that can be done to prevent this type of issue with security certificates? Or must we wait for similar problems to arise?
No, rather! A series of precautions that you or the technicians you choose can implement so as to minimize the impact of the certificate change:
- Keep all devices that go online or communicate with servers up to date and keep the servers up to date
- Follow closely certificate validity periods and your own services, to know when these issues may occur
- Encourage the use of the latest technologies and device updates through posts, newsletters, and social media
- Follow the instructions that your certificate registry gives you for these events (whether they be generic instructions or specific instructions for this or that event)
We know very well that, if you manage multiple websites and already need to constantly keep an eye on and monitor numerous aspects, taking care of these details related to security certificates should not be at all simple.
For this reason our advice is to entrust the constant monitoring of your websites to a specialized technical team, so as to relieve you from any type of anxiety and worry.
These goals have always been at the core of our agency and for years we have helped countless activities to keep their websites secure, up-to-date and fast, saving our clients time losses and all sorts of troubles.
