Let’s Encrypt: One Million Certificates Non-Compliant After Bug

Written by

Let’s Encrypt has revealed that over one million of its HTTPS certificates containing a bug in its automatic validation code will not be revoked by the March 5 deadline, despite being non-compliant.

The free TLS certificate organization discovered the flaw in late February. It lies in the code which checks for a Certificate Authority Authorization (CAA) whenever users renew their certificates, to make sure the domain owner hasn’t put any restrictions on who can renew.

The bug means that for web owners with multiple domains, Let’s Encrypt’s automatic checks only scanned one of these, missing the others. That could in theory expose them to the risk of hijacking by cyber-criminals.

As a result, Let’s Encrypt announced it would be revoking around 2.6% of active registrations by 3 am today (GMT), amounting to three million certificates. Josh Aas, executive director of the non-profit Internet Security Research Group (ISRG), explained that he was doing this because “industry rules require that we revoke certificates not issued in full compliance with specific standards.”

Yet although the organization has been working with web owners to replace the affected certs as quickly as possible, things didn’t go to plan and many of these certificates are still theoretically exposed to exploitation.

“Unfortunately, we believe it’s likely that more than one million certificates will not be replaced before the compliance deadline for revocation is upon us. Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the internet for us to not revoke those certificates by the deadline,” explained Aas on Wednesday night.

“Let’s Encrypt only offers certificates with 90-day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly. We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to web users.”

The news comes just days after the ISRG-backed initiative issued its billionth certificate, in what it claimed was a milestone for user privacy and security online.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that incidents such as these highlight the worrying lack of insight many firms have into how many certificates, or “machine identities,” they’re running.

“When an event such as this happens, organizations need to be able to quickly swap out their old machine identities for new, secure ones. However, most do not understand or have visibility of their machine identities,” he added.

“They don’t know how many identities they have — a figure that could be in the tens of thousands — they do not know who issued them, or what they are being used for. Added to this, the only way they can update them is to go through and manually find and replace every single one.”

The answer is to invest in tools which automate the discovery and management of certificates, Bocek concluded.

Registration is now open! Join the Infosecurity Magazine Online Summit. Download the full agenda & find out more #IMOS20 https://bit.ly/2IigL69

What’s hot on Infosecurity Magazine?