Skip to main content
banner image
venafi logo

Massive Spotify Podcast Outage, Verifone Problems Highlight ‘Ugly Reality’ of Expired Certificates

Massive Spotify Podcast Outage, Verifone Problems Highlight ‘Ugly Reality’ of Expired Certificates

ssl-certificate-outage
June 1, 2022 | Brooke Crothers

Users of Spotify’s Megaphone service could not download podcasts on Monday due to an all-too-familiar error: an expired certificate. Verifone also appears to have experienced problems with certificates causing card payment problems. 

What if you could eliminate certificate outages forever? Learn about our No Outage Guarantee!
">
Spotify: No certificate, no access

Publishers and listeners for Megaphone-hosted podcasts faced service disruptions after the outage. Listeners, for example, lost access to their favorite podcasts.

Though the certificate outage was resolved by Tuesday morning, it was a massive disruption for Spotify, which hosts a popular podcast service.

An SSL certificate authenticates a website's identity and enables an encrypted connection, a necessary security measure. An SSL secured website always has “HTTPS” in the URL, replacing the older, less secure HTTP. 

“When these critical security assets expire unexpectedly, they leave consumers without access to data, services and applications,” according to Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi.

Spotify confirmed the platform outage “due to an issue related to our SSL certificate."

Spotify acquired Megaphone, a podcast advertising and publishing platform, in 2020.  Megaphone, which handles ad insertion, also hosts popular podcasts.

“During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers. Megaphone service has since been restored,” a Spotify spokesperson told the media on Tuesday.

Verifone also grapples with outages

Verifone, which provides provides technology for electronic payment transactions and point-of-sale (POS) systems, was plagued by disruptions in Germany, according to reports. A Twitter thread points to an issue with certificates.

A payment terminal, the Verifone H5000, which is an old platform, “brought down big parts of card payment all over Germany as one of the embedded certificates expired unnoticed on Tuesday,” said Jan Wildeboer, who describes himself as a Red Hat EMEA Evangelist, in a tweet.

The outage was felt at payment systems across Germany, according to reports, citing Wildeboer.

“Turns out this terminal is still being installed as new by many local payment service companies. It is cheap [since it is end-of-life]…But seemingly no one noticed the expiration date of a certificate that is needed to get authorisation from the German payment system,” Wildboer said.

Venafi: certificate outage is an ‘ugly reality’

The double whammy of Spotify and Verifone, two major brands, points to the importance of tackling machine identity management.

The lack of a robust machine identity management can impact everything from gas pumps to banking services to airline reservations and to streaming services.

“The ugly reality is that certificates outages can happen to anyone; we’ve seen high profile examples like LinkedIn and O2 suffering the exact same problem with certificates in the past,” said Bocek said.

(See: LinkedIn Certificate Crash: Is Your Organization Outage Free?)

“Certificates enable secure communication between machines, applications and services but they’re often poorly managed. And the challenge of managing machine identities is becoming harder as more companies move to the cloud where every container and application needs a unique identity,” Bocek said.

Recent data shows that machine identities, like the certificate that expired on Megaphone, are growing at over 40% per year, Bocek said.  And most companies will have over half a million identities to manage by 2024.

“We should expect to see a lot more of these kinds of outages until companies invest in the automation necessary to effectively automate the entire lifecycle of every machine identity," Bocek said.

[Update]: Verifone response: 

"We know for sure it is not a security issue nor a certificate expiration," a Verifone spokesperson told Venafi. "Rather, it is a software malfunction in the H5000 software. The Verifone H5000 series is not being sold or shipped by Verifone as of late 2019; all the other Verifone terminals available on the market are not affected. Verifone takes its security and industry stewardship obligations very seriously and we don’t see any security risk from this issue."

Related Posts

 

 

Like this blog? We think you will love this.
stop-certificate-outage
Featured Blog

Stop Certificate Outages from Increasing in Frequency and Severity

Machine identity management was a mess This company had experienced 2

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more