Using Let’s Encrypt Free SSL Certificate? You Must Reissue A New One Immediately!

The Let's Encrypt, free SSL certificate provider, has issued a warning about a bug that has affected the millions of domains using the certificate. The company has informed that nearly 3 million issued certificates are suspected to get affected and hence it's advisable for users to re-issue the new certificate immediately.

Must Read

Apple iPhone 12: Not For India And You Must Not Fall Prey To Apple’s Marketing Machine

The cat is out from the bag, finally! Apple iPhone 12 has launched in the most sophisticated...

Musk Slashes Tesla Car Price Twice in One Week, Served With A Side of His Wacko Humour

Time is witness that Elon Musk and eccentricities come along as a combo package.

Micromax is Back, Sets Eyes On Xiaomi’s Crown

A fallen pioneer, banished from its own motherland by collective foreign forces, has finally roused itself up!

One of the world’s most popular SSL certificate providers, which is widely popular for providing free SSL certificates for websites, is facing some challenges.

Let’s Encrypt, the non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security encryption at no charge faces a lot of trouble caused by a software bug.

Advertisements

Due to a bug discovered in its backend code today, the Let’s Encrypt project will revoke more than a whopping three million TLS certificates.

Boulder which is the server software used by Let’s Encrypt to verify users and their domains before issuing a TLS certificate was impacted by the bug. The implementation of the CAA (Certificate Authority Authorization) specification inside Boulder was impacted by the bug.

The security standard CAA was approved in 2017. It enables domain owners to prevent Certificate Authorities, organizations which issue TLS certificates, to issue certificates for their own domains.

A “CAA field” to a domain’s DNS records by the domain owners and a TLS certificate for that particular domain can only be issued by the CA listed in the CAA field.

Huge penalties can be incurred from the makers of browsers if the CAA specification is not followed by the letter of the law by all similar Certificate Authorities such as that of Let’s Encrypt.

Advertisements

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.” Let’s Encrypt explained after they disclosed that a bug in Boulder ignored the CAA checks in a forum post on Saturday, February 29.

The bug was patched during a two-hour maintenance window by the Let’s Encrypt team on Saturday. Now, the CAA fields are being properly verified by Boulder before issuing new certificates.

The project also mentioned that they find it highly unlikely that someone deliberately exploited this bug.

Active Measures Being Taken By Let’s Encrypt

Yesterday, it was announced that all certificates that have been issued without proper CAA checks, following industry rules, will be revoked as dictated by the CA/B Forum by the Let’s Encrypt project.

The engineers from the Let’s Encrypt Project have reportedly said that only 2.6% out of the currently active 116 million TLS certificates were impacted by this issue, representing 3,048,289 certs.

They have put the actual number of the impacted SSL certificates at a rough figure of two million as out of the three million, one million are duplicates for the same domain/subdomain.

“Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates,” Let’s Encrypt engineers explained today in a special FAQ page dedicated to the incident.

Starting with 00:00 UTC, March 4, 2020, Let’s Encrypt plans to revoke all the impacted certificates.

Errors in browsers and other applications will be triggered by all impacted certs after the above-mentioned date. Therefore, it is advisable that all such domain owners request a new TLS certificate and replace the old one. Security experts, however, believe that it’s better for all webmasters to reissue a new SSL certificate as an extra precautionary measure.

The impacted domain owners have been notified by email however not all users listed a valid contact method said Let’s Encrypt.

A list of impacted TLS certificate serial numbers can be checked on this page by current users of Let’s Encrypt certificates. They can also visit this website and enter their certificate domain name to check if their certificate is one of the impacted ones.

Let’s Encrypt made it as one of the most successful CA to date as last week itself it was announced that it had issued its one-billionth TLS certificate which was completely free.

Although some platform-specific bugs have shown up once in a while, this particular project managed to stay free of any major incidents of abuse in its five-year-old long run. This incident is the first time Let’s Encrypt is having to revoke certificates. However, many of its users are most likely to look the other way now as the project provides free certificates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Personalization Is The Secret Sauce Behind A Successful E-Commerce Business

E-commerce personalization offers an exclusive experience to consumers by showing them product recommendations, content catered to their...

Reliance Jio Set To Blitz The 5G Smartphone Market With Jaw-Dropping Price

Cometh the revolution, cometh Reliance. This time the price of 5G smartphones under the radar of Reliance. The trailblazer’s...

Micromax is Back, Sets Eyes On Xiaomi’s Crown

A fallen pioneer, banished from its own motherland by collective foreign forces, has finally roused itself up! Micromax has...

The Future of The Workplace And Retraining in 2020 And Beyond

The pandemic has upturned businesses, lives, and even the outlook of our future. It has caused millions to lose their jobs, and...

Musk Slashes Tesla Car Price Twice in One Week, Served With A Side of His Wacko Humour

Time is witness that Elon Musk and eccentricities come along as a combo package. Wednesday’s announcement was no different....

Youtube SEO for Business Is An Imperative Skill In The Era Of Internet

The Internet has taken the world by storm ever since its advent. It has revolutionized many processes and industries. The Internet has...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter,...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one...

More Articles Like This