Security News > 2020 > March > Let’s Encrypt will revoke 3m+ TLS/SSL certificates

Let’s Encrypt will revoke 3m+ TLS/SSL certificates
2020-03-04 12:00

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software.

"The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."

Of the 3 million+ certificates affected, about 1 million are duplicates of other affected certificates.

"Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline ," he noted.

"Let's Encrypt only offers certificates with 90 day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly."


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/q6ft1oVc0Y4/