Let's Encrypt Vulnerability

2020-03-04 12:46

"In a notification email to its clients, the organisation said:"We recently discovered a bug in the Let's Encrypt certificate authority code.

Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

Let's Encrypt typically considers domain validation results good for 30 days from the time of validation-but CAA records specifically must be checked no more than eight hours prior to certificate issuance.

The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance.

Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4.

News URL

https://www.schneier.com/blog/archives/2020/03/lets_encrypt_vu.html

#vulnerability #encrypt