cannot log into aa.com website
#19
Join Date: Sep 2013
Location: MSN
Programs: AA, BAEC Gold
Posts: 3,936
Both Firefox and Safari on an iMac show the security certificate to have been revoked by Entrust. It was not due to expire until May 23, 2019 so it may have been compromised in some way. If you can connect then the risk is that anything you transmit can be read by a third party.
#20
Join Date: Nov 2016
Location: SE ASIA
Programs: SQ KF GO, OZ GO, QR PC PLAT, TG ROP SL, LCAH SL, IHG SPIRE, Marriott BONVOY GO, HILTON GO
Posts: 641
Same here
I am having the same problem as well. Must be an issue on AA's end.
My browser says:
NET::ERR_CERT_REVOKED
My browser says:
Your connection is not private
Attackers might be trying to steal your information from www.aa.com (for example, passwords, messages, or credit cards). Learn moreNET::ERR_CERT_REVOKED
So does this mean that for many users who can't get into the AA website, that this translates to bookings not made & lost revenue?
That can't be good for business.
#23
Join Date: Dec 2017
Programs: AA
Posts: 36
#25
Join Date: May 2012
Location: HNL
Programs: AA PP 1.8MM, PC Spire, Hertz 5*, Hyatt Globalist
Posts: 1,030
This happens at our company from time to time. Some code doesn't automatically cache out to the secondary nodes and a forced refresh of the cache needs to be done to all the secondary nodes. Although you would think by now AA would have fixed it.
#26
Join Date: Jun 2016
Programs: ex-multiyear AA EXP/OWE, now SA Gold/AC Super Elite
Posts: 165
A copy of your certificate in the wild means an attacker would be able to spoof aa.com and you would not know you weren't at the legitimate site.
Keep in mind that the issue may not have necessarily been due to a malicious or nefarious incident, someone at AA themselves may have inadvertently exposed the private key (it happens).
Some background reading, for those that may be interested: https://www.globalsign.com/en/ssl-in...l-certificate/
A great post that explains how public/private key cryptography works: https://blog.vrypan.net/2013/08/28/p...for-non-geeks/
The bottom line: an incident like this is painful for a company, but the alternative is much worse. It's entirely possible we may never know what led to them revoking their cert.