hCaptcha incident

Reminder: Please ensure your server's root CA certificates are up to date

Notice Resolved View vendor source →

hCaptcha experienced a notice incident on March 15, 2024, lasting —. The incident has been resolved; the full update timeline is below.

Started
Mar 15, 2024, 02:25 PM UTC
Resolved
Mar 15, 2024, 04:00 AM UTC
Duration
Detected by Pingoru
Mar 15, 2024, 02:25 PM UTC

Update timeline

  1. resolved Mar 15, 2024, 02:25 PM UTC

    hCaptcha APIs use several SSL certificate authorities, maintaining both primary and backup certificates; our CAA record is authoritative. We also automatically rotate certificates every three months as part of our security best practices. We received several reports today from customers running servers with outdated root CA entries. They either needed to update these after our most recent automatic certificate rotation, or had locked their validation for our endpoints to a specific certificate chain rather than relying on CA validation and our CAA records. Please ensure your servers calling the siteverify endpoint have an updated root CA store. This is an important security practice, as root CAs are occasionally compromised and removed from OS vendors' stores. Similarly, if you would like to enforce additional restrictions on validating our TLS certificates, please rely on the CAA record rather than hard-coding a specific intermediate chain.