Replacement of SSL certificates on our websites

Our websites and the mailbox.org Office are secured with SSL certificates, indicated by the "https://" protocol used by your browser when accessing these sites. When it comes to the security of our SSL certificates, we have been valuing very highly the independent Swiss certificate authority SwissSign. Unfortunately, SwissSign appears to have suffered from a large number of Denial-of-Service attacks in the recent days, which led to repeated downtimes of some of SwissSign's infrastructure.

Part of this infrastructure is the OCSP system, which the Firefox web browser uses to confirm the validity of SSL certificates directly with SwissSign. Normally, brief downtimes can be fully compensated for and don't become an issue at all. However, in this case some of the downtimes lasted several hours, leading to SSL warnings and connection issues when users tried to access websites.

As a matter of precaution, we have switched over to using another certificate authority (DigiCert) for now. We have been keeping the relevant certificates as a backup in order to be prepared for incidents like this.

It is for this reason that currently, our users won’t see the usual „Extended Validation” certificate in their browser’s URL bar that would normally be shown when visiting the mailbox.org website.

We are actively monitoring the situation at SwissSign and will do so for some time, until we decide whether it is time to switch back or not. If things don’t improve, we might have to move away from using SwissSign EV certificates in the future.

In terms of website security, the practical difference for our users is going to be quite minimal. The particular encryption mechanisms employed are independent from the certificate authority used, and we also have our usual security mechanisms such as DANE and others in place, with which our systems can confirm the integrity of our SSL certificates at any time, no matter which certificate authority has signed them.