Monday, 7 September 2015

Geotrust/Symantec has revoked all SSL certificates for .PW TLD domains

I just came off of vacation and had this show up in my e-mail regarding some problems with Canary:
Good morning Colin,
I hope your weekend was awesome.
Just a quick email to let you know that I am having issues with a possible certificate problem on Firefox, chrome, ie and even edge.
It works fine on safari on an iPad.
Needless to say I initially passed it off as someone having their client not configured correctly or running some outdated software (I really should avoid having these biases but I digress), but just as a sanity check, I decided to take a look.

Being that I didn't revoke the certificate myself, I reached out to the reseller that issued the certificate and had this relayed to me:
Reseller rep.:
We regret to inform you that certificate [number] for domain has been revoked by the Certificate Authority due to the site being flagged as potentially containing malware in a recent site scanning by Symantec (owner of GeoTrust). Unfortunately we were not warned of the upcoming revocation, so we apologize for any inconvenience that this may cause.


Reseller rep.:
As per our check with Symantec, they will no longer be issuing SSL certs to .PW domains. You are advised to remove the SSL certificate from the server to avoid security errors related to a revoked certificate.
I was not happy to read this, but my reseller was awesome enough to issue me a refund so I could go ahead and just switch the certificate to another provider. There is no malware on Canary to say the least so the statement by Symantec is irrevocably false.

But here's the thing: why did Geotrust just go ahead and revoke the certificates for all .PW domains without any warning? Why did they believe that this was the best course of action and why did they decide to put domains at risk? It is because of these questions that I cannot recommend using them as a certificate authority.

Geotrust has done a great job demonstrating the problem with certificate authorities: they're closed organizations that you cannot put any trust into.


  1. I guess you have to blame the source of the problem, too. What is the .PW domain? And what caused it to be flagged?