Security News
Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an "Install" button pointing to the malware. The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users' desire to keep themselves safe online.
Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them. The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.
The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.
In the past, there were two main reasons: TLS certificates were complicated and time-consuming to acquire and use; and they cost money that sites such as charities, hobbyists and small businesses resented having to pay, especially given that certificates need renewing regularly. Let's Encrypt certificates are valid for 90 days, and autorenew for most users when there are 30 days or fewer left on their current certificates.
Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code. Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.
Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."
On Wednesday, March 4, Let's Encrypt - the free, automated digital certificate authority - will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs. In a post to the service's online forum on Saturday, Jacob Hoffman-Andrews, senior staff technologist at the EFF, said a bug had been found in the code for Boulder, Let's Encrypt's automated certificate management environment.
Last week was a big one for non-profit digital certificate project Let's Encrypt - it issued its billionth certificate. Publicly announced in November 2014, Let's Encrypt offers TLS certificates for free.
Free and open certificate authority Let's Encrypt on Thursday issued its billionth certificate, four and a half years after issuing the first certificate. It provides free digital certificates and also handles the certificate management process for site owners.
Let's Encrypt, a free, automated, and open certificate signing authority from the nonprofit Internet Security Research Group, has said it's issued a billion certificates since its launch in 2015. Since late last year, Let's Encrypt has issued at least 1.2 million certificates each day.