Author David Riley
Denial of Service
Systems outages are never a fun thing and they can happen to the best of us. Including Agenci. Agenci are a consultancy committed to helping businesses and there is no better teacher than experience itself.
We have recently been on the receiving end of an outage that took down our own website for a number of hours. Not because of any malicious intent (we’re pretty good on that!) but due to the acts of our Certificate Authority (CA).
Due to legitimate actions carried out by them our website certificate was revoked without any warning, resulting in a complete outage of our site. This happened precisely because we took the additional steps to improve security on our site and it now runs purely over http (Hyper-Text-Transfer-Protocol-Secure), reverting back to HTTP wasn’t something we wanted to do, and wasn’t a feasible option due to all the embedded links being written as http.
So how did this happen?
What follows may be a bit ‘techie’ for some, and if it is then you need to pass this to someone who manages your website/IT so that they can give you assurances that
- a) this won’t happen to you
- And b) that you can offer assurances to your website visitors that your site is secure.
So here goes…As the internet moves to total http implementation on the back of upcoming browser changes (thanks Google) to highlight the lack of security on websites, Agenci decided to be proactive and implement an Extended Validation (EV) certificate, effectively this is an ‘enhanced certificate’ that ensures the authenticity of a site you are visiting by displaying the company name in the browser.
The process of being granted a EV certificate is more challenging as several hoops have to be jumped through to validate you are a representative of the company requesting the certificate, as such the lead time is much greater, our providers site states issuance as 3 – 5 minutes for a standard Certificate but 5 – 10 days for an EV Certificate. To get our certificate re-issued took 2 days and several phone calls to our CA. Now, we don’t really need a secure site, we don’t capture data or provide any data entry points but the decisions by larger organisations have pushed us to complete this for SEO and general reputational purposes.
What a F**k Up
So why the outage, well in the CA’s own words
“Due to a software bug, the recently issued certificate for your domain was issued without proper domain validation, and in accordance with industry standards as a Certificate Authority, we will need to revoke your certificate as a precautionary measure. The certificate will be revoked today.”
and it was revoked about 3am UK time(!)
The impact to us is purely reputational as we are a security company with a, albeit for a short time, supposedly “Not Secure” site, if this was an ecommerce system this could have been extremely detrimental, potentially even business ending. Every time you refresh your certificate you are processed via the same long approval process, due to the fault being with the CA we were able to push this through in a couple of days but imagine if your business was offline for 2 – 10 days unable to process orders.
What can you do?
Your Disaster Recovery and Business Continuity management need to take account of this extended outage potential, and you need to ask yourself who is responsible for your key management, are they aware of expiry dates, because if you use EV certificates, you may be offline for longer than you expect.
We are willing to talk about this because we operate from a place of transparency and integrity, and because we believe that sharing our experiences may help prevent others experiencing the same issues. Good luck, and if you need help in ensuring your website is secure, then please do get in touch.
Speak to a member of the team now on
03455 760 999
We would love to help you, ask for David: