Let's Encrypt to revoke over 3 million digital certificates

Let's Encrypt to Revoke 3 Million Certificates

The free, automated digital certificate authority, Let's Encrypt are to undo the issuance of more than 3 million HTTPS certificates.

A bug had been detected in the code of Boulder, Let's Encrypt's automated certificate manager. When someone asks Let's Encrypt for HTTPS certificates for their domain names, Boulder checks Certificate Authority Authorization (CAA) records to make certain the requests are all above board. The bug, introduced on July 25, 2019, was an inaccurancy in the way the tool's Go code recapitulated over the domain names during this authorisation phase.

When Boulder iterated, 20 domain names for example that need CAA rechecking, it would check 1 domain 20 times instead of checking each of the domain names, leaving the other remaining domains unchecked.

If a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

This blunder leaves over 3 million digital certificates out of 116 million that need to be revoked. One million of these certificates are duplicates. Let's Encrypt, which is supported by the Internet Security Research Group (ISRG), will revoke those certs that haven't been repaired, causing visitors at affected websites to see security warnings until the problem gets remedied.

It has been recommended for affected parties to renew and replace their certification as soon as possible. Any site that fails to renew its certificate will display security warnings to visitors until the problem is rectified. While no specific sites have been mentioned, with up to three million certificates involved, there is a chance that some high-profile sites could be affected.

For more information on trusted SSL certificates from SSL247, please contact one of our consultants who are able to provide you with the most suitable solution for your business needs.

Share this:

Posted on Thursday 05 March 2020 by Sayeeda Miah

Return to blog

Send us your comments

Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!