Security News > 2020 > March > Let's Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug

Let's Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug
2020-03-05 05:36

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.

The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

This means that Let's Encrypt might have issued certificates that it shouldn't have in the first place, as a result of which it's revoking all the TLS certificates that were affected by the bug.

Let's Encrypt said 2.6 percent of approximately 116 million active certificates are affected - about 3,048,289 - out of which about one million are duplicates of other affected certificates.

"We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users." It also hinted, though the vast majority of the wrongfully issued certificates do not pose a security risk, they still initially decided to revoke all 3 million certificates to comply with the industry standards.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/RChl-RdG7pU/lets-encrypt-certificate-revocation.html