Users of Spotify’s Megaphone service could not download podcasts on Monday due to an all-too-familiar error: an expired certificate. Verifone also appears to have experienced problems with certificates causing card payment problems.
Spotify: No certificate, no access
Publishers and listeners for Megaphone-hosted podcasts faced service disruptions after the outage. Listeners, for example, lost access to their favorite podcasts.
Though the certificate outage was resolved by Tuesday morning, it was a massive disruption for Spotify, which hosts a popular podcast service.
An SSL certificate authenticates a website's identity and enables an encrypted connection, a necessary security measure. An SSL secured website always has “HTTPS” in the URL, replacing the older, less secure HTTP.
“When these critical security assets expire unexpectedly, they leave consumers without access to data, services and applications,” according to Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi.
Spotify confirmed the platform outage “due to an issue related to our SSL certificate."
Spotify acquired Megaphone, a podcast advertising and publishing platform, in 2020. Megaphone, which handles ad insertion, also hosts popular podcasts.
“During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers. Megaphone service has since been restored,” a Spotify spokesperson told the media on Tuesday.
Verifone also grapples with outages
Verifone, which provides provides technology for electronic payment transactions and point-of-sale (POS) systems, was plagued by disruptions in Germany, according to reports. A Twitter thread points to an issue with certificates.
A payment terminal, the Verifone H5000, which is an old platform, “brought down big parts of card payment all over Germany as one of the embedded certificates expired unnoticed on Tuesday,” said Jan Wildeboer, who describes himself as a Red Hat EMEA Evangelist, in a tweet.
The outage was felt at payment systems across Germany, according to reports, citing Wildeboer.
“Turns out this terminal is still being installed as new by many local payment service companies. It is cheap [since it is end-of-life]…But seemingly no one noticed the expiration date of a certificate that is needed to get authorisation from the German payment system,” Wildboer said.
Venafi: certificate outage is an ‘ugly reality’
The double whammy of Spotify and Verifone, two major brands, points to the importance of tackling machine identity management.
The lack of a robust machine identity management can impact everything from gas pumps to banking services to airline reservations and to streaming services.
“The ugly reality is that certificates outages can happen to anyone; we’ve seen high profile examples like LinkedIn and O2 suffering the exact same problem with certificates in the past,” said Bocek said.
“Certificates enable secure communication between machines, applications and services but they’re often poorly managed. And the challenge of managing machine identities is becoming harder as more companies move to the cloud where every container and application needs a unique identity,” Bocek said.
Recent data shows that machine identities, like the certificate that expired on Megaphone, are growing at over 40% per year, Bocek said. And most companies will have over half a million identities to manage by 2024.
“We should expect to see a lot more of these kinds of outages until companies invest in the automation necessary to effectively automate the entire lifecycle of every machine identity," Bocek said.
[Update]: Verifone response:
"We know for sure it is not a security issue nor a certificate expiration," a Verifone spokesperson told Venafi. "Rather, it is a software malfunction in the H5000 software. The Verifone H5000 series is not being sold or shipped by Verifone as of late 2019; all the other Verifone terminals available on the market are not affected. Verifone takes its security and industry stewardship obligations very seriously and we don’t see any security risk from this issue."