Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikes

2020-03-03 19:44

On Wednesday, March 4, Let's Encrypt - the free, automated digital certificate authority - will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs.

In a post to the service's online forum on Saturday, Jacob Hoffman-Andrews, senior staff technologist at the EFF, said a bug had been found in the code for Boulder, Let's Encrypt's automated certificate management environment.

When someone asks Let's Encrypt for HTTPS certificates for their domain names, Boulder checks Certificate Authority Authorization records to ensure the requests are all above board.

"What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt," Hoffman-Andrews continued.

A code fix was deployed about two hours after the programming blunder was discovered, though that still leaves 3,048,289 digital certificates out of about 116 million that need to be revoked.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/03/lets_encrypt_cert_revocation/

#certificate #encrypt #http #https