Let Encrypt to Revoke 3 Million certs ( CAA) bug

Popular free certification authority Encrypt said it would revoke 3 million Transportation Layer Security (TLS), Wednesday, for a CAA bug. The move could lead to millions of web sites and computer identities depending on such certificates protecting the flow of sensitive data being classified as unsecure or inaccessible.

Certificate users contacted by Threatpost said that Tuesday and 24 hours were informed of the cancelation in order to resolve the issue. Certificates shall be removed on 4 March, 9:00 p.m. IS. IS.

Let's clarify that Encrypt had to withdraw 3 million certificates on Tuesday because of a bug from CAA that impacted its software's domain ownership checks before the certificates were released.

The actual number of websites and identities affected may be less, although the number of certificates affected is 3 million, due to the way certificates are reissued and the fact that other certificates are possibly not currently in operation, says Pratik Savla, Senior Engineer for Security at Venafi.

Savla warned of a possibility to open the door for a malicious attacker, enabling the hacker to wake up to web traffic and collect sensitive data, to take control of a TLS certificate.

In a statement to Hackers Review, Josh Aas, Executive Director, Let's Encrypt, told us that during the feature flag update a bug was inserted in our code. This mistake has caused us to skip a check before issuing a certificate that we are required to perform.

We found that about 3 million of our active certificates affected the bug, or 2.6 percent. Sadly, these certificates must be withdrawn, as we shall do in accordance with the compliance schedule given by the Baseline criteria.

Let encrypt explain how the bug works

In practice this means, if a subscriber has validated the domain name at time X, and the CAA records for the domain X allow the issue of Let's Encrypt, the subscriber may issue a certificate containing that domain name for up to x+30 days, even though later on CAA records are installed in that domain name which forbid Let's Encrypt from issuing

Previous Post Next Post