Bugs, bugs and more bugs…
There is no end to catastrophes caused by vulnerability bugs in the virtual world.
This time it is 'Let's Encrypt', the famous free certificate signing authority that has been affected by it.
The signing entity is having to retrace 3 million TLS certificates issues by default because of avirus in its Certificate Authority software.
Let's Encrypt has confirmed the news of the bug and said that it was solved in 2 hours after it was discovered. However it did affect its process of checking the domain name ownership before issuing new TLS certificates. The result being certificates being issued without authenticating the holder's control of a domain name.
The Certification Authority Authorization (CAA) which is an internet security policy, accesses domain name holders to mention to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a particular domain name.
Let's Encrypt holds domain validation results valid only for 30 days from the time of validation. After that stipulated time it reconfirms the CAA record authorizing that domain before issuing the certificate. The bug discovered in the code for Boulder, the certificate signing software used by Let's Encrypt — is as follows:
"When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times."
As per Let's Encrypt the bug was introduced as part of an update in July 2019.
The announcement signifies Let's Encrypt might have issued unauthorized TLS certificates in numbers which it is recalling now to save the situation.
Incidentally the imbroglio was discovered on the occasion of Let's Encrypt's announcement of distribution of its 1 billionth certificate since 2015, the year of its launch.
The company has said 2.6 percent of approximately 116 million active certificates are corrupted, about 3,048,289, out of which about one million are duplicates of other affected certificates.
Affected website owners are allowed until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites see TLS security warnings — as the certificates are revoked — until the renewal process is complete.
But with Let's Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.
ISOAH has been the entity instrumental in debugging systems of security vulnerabilities.
Read more to know about system security.