Secure email provider shifts to Let’s Encrypt, citing reliability issues with Swiss counterpart
UPDATED A barrage of DDoS attacks against SwissSign has resulted in the certificate authority (CA) temporarily losing a key customer, as email provider ProtonMail moved over to Let’s Encrypt amid the disruption.
On September 1, SwissSign reported that its “products and services are currently impaired, and availability is limited” following a series DDoS attacks that began 24 hours earlier and reached up to 40 Gbps in magnitude.
Thomas M Kläusli, head of marketing and communications at SwissSign, said the cyber-attack took down its OSCP service. “This meant that security certificates could not be checked for validity which of course impacted some of our customers,” he told The Daily Swig.“Some browsers don’t allow [users] to access a website without a valid SSL certificate.”
Measures taken “with external partners to fend-off the attacks” then “proved to be very effective and our systems were up and running again a few days after the attack started, despite ongoing heavy DDoS attacks.
The attacks have ceased since September 8, he added.
Kläusli said all SwissSign’s systems remain fully operational, no data was compromised, and that the incident was reported to the Swiss National Cyber Security Centre.
But in a blog post published by ProtonMail on the same day, the secure email provider said they had “decided to temporarily switch to Let’s Encrypt because we believe they can offer a higher level of reliability after” the attacks, “which led to interruptions of our services”.
A spokesperson for ProtonMail told The Daily Swig: “The DDoS attack prevented web browsers from verifying the validity of the certificates used by us to prove our identity and encrypt web traffic.
“This meant that some users had difficulty connecting to the ProtonMail website. While this did not impact the privacy of our users’ data, it negatively impacted the user experience for those affected. Thankfully we detected the issue relatively early and were able to put in place workarounds to maintain service for our users.”
CAs act as a trusted third party, validating websites’ servers and provide a stable, secure connection.
Users can check which organization provides a website’s certificate and whether it is valid by clicking the padlock in their browser’s address bar.
ProtonMail said the change of certificate authority “will have no practical impact” on the user experience for both the ProtonMail and ProtonVPN platforms.
San Francisco-based Let’s Encrypt is operated by the Internet Security Research Group, a non-profit organization sponsored by the Mozilla Foundation and Electronic Frontier Foundation.
RELATED TLS certificate lifespan cut short: A win for security, or cause for chaos?
“Like us, they regularly publish transparency reports and use open standards wherever possible, so it is an additional benefit that Let’s Encrypt’s values align with ours,” said ProtonMail on its blog post.
“We are considering all options to make this step carefully and ensure we understand the full impact of such a change,” said ProtonMail’s spokesperson.
“It’s likely that we will switch back to SwissSign in the near future. However, we always keep these things under review and have changed certificate authorities before, to ensure the best possible service for our users.”
Proton Mail’s “decision was taken shortly before our services were back up again,” said Thomas M Kläusli of SwissSign. “We are in close contact with Proton Mail, also in terms of cybersecurity issues, and we hope they will come back to us again soon.”
The fallout for the email giant from a cyber-attack on its security certificate provider has certainly highlighted how all websites can be impacted by such assaults.
This article was updated on September 10 with comments from ProtonMail, and on September 11 with comments from SwissSign.
READ MORE Ransomware attacks against SMEs fall sharply in Southeast Asia