Let’s Encrypt to Revoke Millions of TLS Certs

2020-03-03 20:13

UPDATE. Popular free certificate authority Let's Encrypt said it will revoke 3 million Transport Layer Security certificates Wednesday, because of a Certificate Authority Authorization bug.

Let's Encrypt explained on Tuesday it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.

Josh Aas, executive director of Let's Encrypt, said in a statement to Threatpost, "A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements."

Besides the short notice, Engelhardt said another one of his concerns was that Let's Encrypt notification sent him scrambling to manually check 200 domains to see which of the certificates he owned would be impacted.

Let's Encrypt also supplied a link to its own scanner to check for impacted TLS certificates.

News URL

https://threatpost.com/lets-encrypt-revoke-millions-tls-certs/153413/

#cert #encrypt #TLS