<div style="margin:20px 0 0 200px"> To view the site, enable JavaScript by changing your browser options, then <a href="">Try Again</a>.</div>

Let's Encrypt Damage Controls Releasing 3 Million Invalid TLS Certificates

06 Mar, 2020
Let's Encrypt Damage Controls Releasing 3 Million Invalid TLS Certificates

Bugs, bugs and more bugs…

There is no end to catastrophes caused by vulnerability bugs in the virtual world.

This time it is 'Let's Encrypt', the famous free certificate signing authority that has been affected by it.

The signing entity is having to retrace 3 million TLS certificates issues by default because of avirus in its Certificate Authority software.

Let's Encrypt has confirmed the news of the bug and said that it was solved in 2 hours after it was discovered. However it did affect its process of checking the domain name ownership before issuing new TLS certificates. The result being certificates being issued without authenticating the holder's control of a domain name.

The Certification Authority Authorization (CAA) which is an internet security policy, accesses domain name holders to mention to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a particular domain name.

Let's Encrypt holds domain validation results valid only for 30 days from the time of validation. After that stipulated time it reconfirms the CAA record authorizing that domain before issuing the certificate. The bug discovered in the code for Boulder, the certificate signing software used by Let's Encrypt — is as follows:

"When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times."

As per Let's Encrypt the bug was introduced as part of an update in July 2019.

The announcement signifies Let's Encrypt might have issued unauthorized TLS certificates in numbers which it is recalling now to save the situation.

Incidentally the imbroglio was discovered on the occasion of Let's Encrypt's announcement of distribution of its 1 billionth certificate since 2015, the year of its launch.

The company has said 2.6 percent of approximately 116 million active certificates are corrupted, about 3,048,289, out of which about one million are duplicates of other affected certificates.

Affected website owners are allowed until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites see TLS security warnings — as the certificates are revoked — until the renewal process is complete.

But with Let's Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.

ISOAH has been the entity instrumental in debugging systems of security vulnerabilities.

Read more to know about system security.

Exclusive Blog

Read All Exclusive Blog »
A few tips for the perfect homework
A few tips for the perfect homework

With world working from home, it's time to make it enjoyable and effective.

Read Details

Hacking Tools

Explore All Hacking Tools »
UFTP - UDP based FTP with encryption
UDP based FTP with encryption

UFTP is an encrypted multicast file transfer program for secure, reliable & efficient transfer of files. It also helps in data distribution over a satellite link.

Read Details