Using Let’s Encrypt Free SSL Certificate? You Must Reissue A New One Immediately!

The Let's Encrypt, free SSL certificate provider, has issued a warning about a bug that has affected the millions of domains using the certificate. The company has informed that nearly 3 million issued certificates are suspected to get affected and hence it's advisable for users to re-issue the new certificate immediately.

Must Read

Apple Inc. (AAPL) And Samsung Group (005930) Combined Smartphone Market Share Shrunk To Below 50% In Q1 2014: Huawei and Lenovo Rising Fast!

Apple Inc. (NASDAQ:AAPL) and  Samsung Electronics Co. Ltd. (KRX:005930) are the undisputed heavyweights of the smartphone world. Together, both brands accounted for 50%...

Apple is Being Evil For 1.5 Billion iPhone, iPad Users Worldwide

Last year when Apple Inc. (NASDAQ:AAPL) was accused of recording everything that iPhone users were talking through...

Uber India Layoffs 25% Workforce Citing Tough Market Conditions

After laying off thousands of employees in the US, Uber is scaling down its operations in India...

One of the world’s most popular SSL certificate providers, which is widely popular for providing free SSL certificates for websites, is facing some challenges.

Let’s Encrypt, the non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security encryption at no charge faces a lot of trouble caused by a software bug.

Advertisements

Due to a bug discovered in its backend code today, the Let’s Encrypt project will revoke more than a whopping three million TLS certificates.

Boulder which is the server software used by Let’s Encrypt to verify users and their domains before issuing a TLS certificate was impacted by the bug. The implementation of the CAA (Certificate Authority Authorization) specification inside Boulder was impacted by the bug.

The security standard CAA was approved in 2017. It enables domain owners to prevent Certificate Authorities, organizations which issue TLS certificates, to issue certificates for their own domains.

A “CAA field” to a domain’s DNS records by the domain owners and a TLS certificate for that particular domain can only be issued by the CA listed in the CAA field.

Huge penalties can be incurred from the makers of browsers if the CAA specification is not followed by the letter of the law by all similar Certificate Authorities such as that of Let’s Encrypt.

Advertisements

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.” Let’s Encrypt explained after they disclosed that a bug in Boulder ignored the CAA checks in a forum post on Saturday, February 29.

The bug was patched during a two-hour maintenance window by the Let’s Encrypt team on Saturday. Now, the CAA fields are being properly verified by Boulder before issuing new certificates.

The project also mentioned that they find it highly unlikely that someone deliberately exploited this bug.

Active Measures Being Taken By Let’s Encrypt

Yesterday, it was announced that all certificates that have been issued without proper CAA checks, following industry rules, will be revoked as dictated by the CA/B Forum by the Let’s Encrypt project.

The engineers from the Let’s Encrypt Project have reportedly said that only 2.6% out of the currently active 116 million TLS certificates were impacted by this issue, representing 3,048,289 certs.

They have put the actual number of the impacted SSL certificates at a rough figure of two million as out of the three million, one million are duplicates for the same domain/subdomain.

“Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates,” Let’s Encrypt engineers explained today in a special FAQ page dedicated to the incident.

Starting with 00:00 UTC, March 4, 2020, Let’s Encrypt plans to revoke all the impacted certificates.

Errors in browsers and other applications will be triggered by all impacted certs after the above-mentioned date. Therefore, it is advisable that all such domain owners request a new TLS certificate and replace the old one. Security experts, however, believe that it’s better for all webmasters to reissue a new SSL certificate as an extra precautionary measure.

The impacted domain owners have been notified by email however not all users listed a valid contact method said Let’s Encrypt.

A list of impacted TLS certificate serial numbers can be checked on this page by current users of Let’s Encrypt certificates. They can also visit this website and enter their certificate domain name to check if their certificate is one of the impacted ones.

Let’s Encrypt made it as one of the most successful CA to date as last week itself it was announced that it had issued its one-billionth TLS certificate which was completely free.

Although some platform-specific bugs have shown up once in a while, this particular project managed to stay free of any major incidents of abuse in its five-year-old long run. This incident is the first time Let’s Encrypt is having to revoke certificates. However, many of its users are most likely to look the other way now as the project provides free certificates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

Uber India Layoffs 25% Workforce Citing Tough Market Conditions

After laying off thousands of employees in the US, Uber is scaling down its operations in India...

Apple is Being Evil For 1.5 Billion iPhone, iPad Users Worldwide

Last year when Apple Inc. (NASDAQ:AAPL) was accused of recording everything that iPhone users were talking through Siri, the company was quick...

Is Bill Gates Developing Covid-19 Vaccine To Track Billions Of Users Worldwide?

Bill Gates is once again at the centre stage of controversy related to novel Coronavirus. Battling falsehood and paranoid...

Darkest Before Dawn: Can India Survive Its Worst Ever Recession?

Bolt your doors, batter down your hatches, brace yourselves. Recession is about to make landfall. According to Goldman Sachs, a...

Crisis Of Trust: The Glue Between Brands, Customers And Employees!

The COVID-19 crisis, which shows no sign of stopping any time soon, has left no life untouched in terms of impact. It...

WeWork Valuation: $2.9 Billion, Way Below Than Estimated $47 Billion 6 Month Ago

If you are thinking it is some kind of clickbait, you are highly mistaken. The debate on the valuation of WeWork once...

In-Depth: Dprime

Fantastic 4: Four Day Work Week A Flashpoint Of Innovation?

It has been an idea that has been mooted by many, perhaps also somewhat sceptically. From being a dark horse to becoming...

TikTok Is Facing The Wrath Of People Who Love It The Most

Ever since the popular social media app TikTok entered India, it has been growing very aggressively in terms of users. Within a...

Facebook Shops: Looking Beyond Ad Dollars!

Amid this global pandemic, when companies are struggling to find new verticals to pivot towards in order to maintain their revenue and...

More Articles Like This