IflyonAA

I cant get on it. ipad, mac etc no joy.

Penguinmoon

Not working for me either from Jakarta. Not on safari, firefox, and google.

JDiver

No problem logging in with my iPad Air 2, OS 11 and Safari, or Chrome.

MADPhil

Both Firefox and Safari on an iMac show the security certificate to have been revoked by Entrust. It was not due to expire until May 23, 2019 so it may have been compromised in some way. If you can connect then the risk is that anything you transmit can be read by a third party.

kaffir76

Trying to check on my seating assignment for a booking I made last night, with a code share flight on CX.
So does this mean that for many users who can't get into the AA website, that this translates to bookings not made & lost revenue?
That can't be good for business.

DenverBrian

Appears to be back up as of 9:20 AM MT.

IflyonAA

Yes back up for me too! Mac Chrome.

eastmanrg

The TLS certificate appears to have changed to a newly issued certificate. Sounds like someone doing maintenance last night forgot to use the new certificate. I notice that the look and feel to the site has changed overnight.

danpeake

Anyone able to provide a technical answer as that what may have happened?

It's back up for me, but I couldn't use it all morning (rep did waive the phone booking fee when I called and inquired about an award ticket during the outage.)

nutwpinut

My guess is that they made some changes last night and pushed out code. Any good global company will have cached pages across the world, CDN. When new code is pushed it should slowly push to all the locations. Either bad certs have been pushed or new good one's have been pushed. Either way it seems like there are different certs at different locations and thus some can login and some can't depending on which node you are getting your data from.

This happens at our company from time to time. Some code doesn't automatically cache out to the secondary nodes and a forced refresh of the cache needs to be done to all the secondary nodes. Although you would think by now AA would have fixed it.

RichVan

Quite simply: someone in AA's security team issued a revocation of their SSL certificate. (The mechanism that allows you to communicate with the site "securely".) This can be for a number of reasons, up to and including them believing someone obtained a copy of their private certificate. With public key cryptography, even the suspicion that your private certificate may have been exposed will require companies on the ball to immediately revoke the certificate and obtain a new one.

A copy of your certificate in the wild means an attacker would be able to spoof aa.com and you would not know you weren't at the legitimate site.

Keep in mind that the issue may not have necessarily been due to a malicious or nefarious incident, someone at AA themselves may have inadvertently exposed the private key (it happens).

Some background reading, for those that may be interested: https://www.globalsign.com/en/ssl-in...l-certificate/
A great post that explains how public/private key cryptography works: https://blog.vrypan.net/2013/08/28/p...for-non-geeks/

The bottom line: an incident like this is painful for a company, but the alternative is much worse. It's entirely possible we may never know what led to them revoking their cert.