GlobalSign cert error sees browsers block top websites

A revocation error at security certificate provider GlobalSign has sent parts of the internet into meltdown after web browsers refused to load websites incorrectly labelled unsafe.

Whilst attempting to clean up some of its root certificate links, GlobalSign revoked a cross certificate that had linked together two root certifications, which should not have been removed. GlobalSign manages a number of root secure sockets layer (SSL) certificates that authenticate the identity of internet hosts.

This revocation request caused browsers to infer that all certifications downstream of the cross-signed root had also been revoked.

It meant that some of the world's top websites - like Dropbox and The Guardian among many others, small and large - were labelled as 'insecure' by web browsers, preventing access for security reasons.

While the provider quickly removed the affected cross-certificate and cleared its caches, the onus is now on GlobalSign customers to replace their SSL certificates to restore access to their sites.

Additionally, the "global nature of CDN [content delivery networks] and the effectiveness of caching" meant that some of the corrupt certificates made their way to end user systems, GlobalSign said.

Affected sites could remain blocked by browsers for four days until the cached responses expire, given end users "cannot always eaily clear their caches, either through lack of knowledge or lack of permission", the certificate authority said.

The firm admitted the situation was "not ideal", and said in the meantime it would provide an alternative issuing certificate authority for customers that has been issued by a root not affected by the revoked cross.

"We are currently working on the detailed instructions to help you resolve the issue and will communicate those instructions to you shortly," GlobalSign chief product offier Lila Kee told customers.

GlobalSign has set up a support page for IT administrators.