Lets Encrypt Revokes Over 3 Million of Its Digital Certs

  /     /     /  
Publicated : 23/11/2024   Category : security


Lets Encrypt Revokes Over 3 Million of Its Digital Certs


Domain validation glitch prompts an abrupt decision.



Lets Encrypt, a nonprofit that has played a major role in pushing the use of encryption on the Web, today revoked more than 3 million of its digital certificates after discovering a flaw in the manner in which they were issued.
Domain owners with affected Lets Encrypt TLS certificates who dont renew them quickly run the risk of their websites becoming inaccessible to users after the certificates have been revoked. This can especially be an issue for domain operators that dont have a clear idea of where affected certificates might be located in their environment so they can be renewed promptly.
Given the short turnaround time required to respond to the incident, this may exhaust the capacity of IT teams, says JD Kilgallin, senior integration engineer at Keyfactor.
Lets Encrypt has published on 
online tool
 that site owners can use to determine if they have an impacted certificate.
Lets Encrypt is a certificate authority (CA) — an Internet entity authorized to issue digital certificates that website owners can use to ensure that traffic and data between their site and end-user devices are encrypted. Sites using its certificates — like all sites using any TLS certificate — feature a padlock and a HTTPS in the browsers address to indicate to users that the site uses encryption and therefore is generally safer than sites with just HTTP.
Lets Encrypt offers its TLS certificates free of cost. Anyone owning a domain name, including individuals, can use Lets Encrypt to obtain, to configure, to use, and to renew digital certificates in a completely automated fashion. Certificates are valid for 90-days and automatically renew before the end of that period.
The 
Internet Security Research Group (ISRG)
 launched Lets Encrypt in 2014 in a bid to foster broad adoption of encryption on the Web.  Since it began issuing them in late 2015, Lets Encrypt has issued some 
1 billion digital certificates
 globally. Over 192 million websites around the world currently use digital certificates that Lets Encrypt issued. Over the years that Lets Encrypt has been issuing certificates, HTTPS usage has increased dramatically — from around 58% of all page loads globally in June 2017 to 81% of page loads currently.
On Tuesday, Lets Encrypt announced that it was 
revoking
 a total of 3,048,289 currently valid TLS certificates because of a bug it had 
discovered
 in a software component used in a domain validation process. The software is designed to check certification authority authorization (CAA) records that allow website operators to specify which CAs are permitted to issue certificates for their domains. The goal is to make sure that before a CA automatically renews or issues a certificate, it first checks to see if the site owner has placed any restrictions on such renewals.
What Lets Encrypt discovered was that if a site automatically requested renewals for multiple certificates for multiple domains at the same time, the validation process failed. Instead of doing the CAA check for each domain for which a certificate was being renewed, the bug caused the software to do multiple checks against just one.
When Let’s Encrypt went to check the CAA records for a list of, say, 10 certificate renewals, it didnt check each domain in the list once, security vendor 
Sophos
 said in a blog post. Instead, it inadvertently picked one of the domains and then redundantly checked it 10 times over, leaving the other nine domains unchecked.
Major Revocation for Minor Bug
The minor software bug kept Lets Encrypt from performing a required authorization check before issuing a publicly trusted certificate for a web server, says Kilgallin. The issue could potentially allow bad actors to obtain certificates for sites they did not own. Although the probability of exploit is extremely low, the standards set by the CA/Browser Forum require the certificates to be revoked and for site owners to request new certificates with proper authorization checks, he adds.
Automated enrollment and certificate renewal like that offered via Lets Encrypt is fairly common. When the certificate life cycle works as expected, such automation can significantly reduce the time that system administrators need to ensure their servers and systems are properly authenticated and provide adequate data encryption, Kilgallin says. However, with anomalous situations such as this, the automated renewal processes may not be equipped to replace certificates that were revoked before their expiration date, he says. Teams may not know where affected certificates are located in their environment, increasing the risk of a service outage.
Pratik Savla, senior security engineer at Venafi, says this is not the first time that Lets Encrypt has found issues with the code used for CAA record checks. In the past, the problems have resulted in CAA rules being ignored and certificates being wrongly issued. This incident should push any CA out there to review and tighten up their testing process so any incorrect behavior is not overlooked, he says.
For organizations, episodes such as these highlight the need for proper certificate management processes, Savla says. They need to have an understanding of the certificates in use within the environment, where they exist, when they expire, what needs to be renewed, what might be redundant, and what might have already expired.
Related Content:
Sectigo Sponsors Lets Encrypt to Enable Certificate Transparency Log Operation
Encryption Offers Safe Haven for Criminals and Malware
Criminals Hide Fraud Behind the Green Lock Icon
7 Tips to Improve Your Employees Mobile Security
How Enterprises Are Developing and Maintaining Secure Applications
 
 
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
The Perfect Travel Security Policy for a Globe-Trotting Laptop
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Lets Encrypt Revokes Over 3 Million of Its Digital Certs