Using Let’s Encrypt Free SSL Certificate? You Must Reissue A New One Immediately!

The Let's Encrypt, free SSL certificate provider, has issued a warning about a bug that has affected the millions of domains using the certificate. The company has informed that nearly 3 million issued certificates are suspected to get affected and hence it's advisable for users to re-issue the new certificate immediately.

Must Read

Facebook Reveals Big Plans Behind The WhatsApp JioMart Integration In India

After Facebook Inc. (NASDAQ:FB) acquired a minority stake of 9.99% in Jio Platforms for a whopping $5.7 billion in...

Can CBD Gummies Be Beneficial For College Students?

College students often feel more pressure than they have ever—or will ever—feel in their entire lives. Many...

Facebook Launches Music Videos to Eat into YouTube’s Market

With the launch of Music Videos, Facebook has made another competitive move against its biggest opponent, Google.

One of the world’s most popular SSL certificate providers, which is widely popular for providing free SSL certificates for websites, is facing some challenges.

Let’s Encrypt, the non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security encryption at no charge faces a lot of trouble caused by a software bug.

Advertisements

Due to a bug discovered in its backend code today, the Let’s Encrypt project will revoke more than a whopping three million TLS certificates.

Boulder which is the server software used by Let’s Encrypt to verify users and their domains before issuing a TLS certificate was impacted by the bug. The implementation of the CAA (Certificate Authority Authorization) specification inside Boulder was impacted by the bug.

The security standard CAA was approved in 2017. It enables domain owners to prevent Certificate Authorities, organizations which issue TLS certificates, to issue certificates for their own domains.

A “CAA field” to a domain’s DNS records by the domain owners and a TLS certificate for that particular domain can only be issued by the CA listed in the CAA field.

Huge penalties can be incurred from the makers of browsers if the CAA specification is not followed by the letter of the law by all similar Certificate Authorities such as that of Let’s Encrypt.

Advertisements

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.” Let’s Encrypt explained after they disclosed that a bug in Boulder ignored the CAA checks in a forum post on Saturday, February 29.

The bug was patched during a two-hour maintenance window by the Let’s Encrypt team on Saturday. Now, the CAA fields are being properly verified by Boulder before issuing new certificates.

The project also mentioned that they find it highly unlikely that someone deliberately exploited this bug.

Active Measures Being Taken By Let’s Encrypt

Yesterday, it was announced that all certificates that have been issued without proper CAA checks, following industry rules, will be revoked as dictated by the CA/B Forum by the Let’s Encrypt project.

The engineers from the Let’s Encrypt Project have reportedly said that only 2.6% out of the currently active 116 million TLS certificates were impacted by this issue, representing 3,048,289 certs.

They have put the actual number of the impacted SSL certificates at a rough figure of two million as out of the three million, one million are duplicates for the same domain/subdomain.

“Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates,” Let’s Encrypt engineers explained today in a special FAQ page dedicated to the incident.

Starting with 00:00 UTC, March 4, 2020, Let’s Encrypt plans to revoke all the impacted certificates.

Errors in browsers and other applications will be triggered by all impacted certs after the above-mentioned date. Therefore, it is advisable that all such domain owners request a new TLS certificate and replace the old one. Security experts, however, believe that it’s better for all webmasters to reissue a new SSL certificate as an extra precautionary measure.

The impacted domain owners have been notified by email however not all users listed a valid contact method said Let’s Encrypt.

A list of impacted TLS certificate serial numbers can be checked on this page by current users of Let’s Encrypt certificates. They can also visit this website and enter their certificate domain name to check if their certificate is one of the impacted ones.

Let’s Encrypt made it as one of the most successful CA to date as last week itself it was announced that it had issued its one-billionth TLS certificate which was completely free.

Although some platform-specific bugs have shown up once in a while, this particular project managed to stay free of any major incidents of abuse in its five-year-old long run. This incident is the first time Let’s Encrypt is having to revoke certificates. However, many of its users are most likely to look the other way now as the project provides free certificates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

After Facebook, Now Twitter is Caught Abusing Phone Number For Ads

Thanatophobia, or fear of death, is a relatively complicated phobia. Similarly, fear of losing your digital accounts to...

Warren Buffett’s Stake In Apple Is Worth More Than Combined Valuation of All Startup Unicorns in India

The Oracle of Omaha has got an eye for a good bet and it's proven time and again. Once a popular critic...

Microsoft Aims Global Acquisition Of TikTok, Including India!

It seems like TikTok can finally shed its Chinese origin from all over the world. It has recently...

Will Google’s Move To Delete 2,500 YouTube Channels Add Fuel To The Fire With China?

The US-China trade war has started rearing its ugly head. Both sides are now turning to extreme measures on the digital front...

Will You Buy iPhone 12 Pro At US$20,500?

if you are suspecting any typo error here, you are highly mistaken! The price of iPhone 12 Pro is US$ 20,500 now...

Google Is Shutting Down Google Play Music

Google Play Music will soon be buried in Google's graveyard. The company has announced that by December the service will be completely...

In-Depth: Dprime

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter,...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one...

Fantastic 4: Four Day Work Week A Flashpoint Of Innovation?

It has been an idea that has been mooted by many, perhaps also somewhat sceptically. From being a dark horse to becoming...

More Articles Like This