Security News

Recent studies have shown that cybercriminals building phishing sites now use SSL as well, complicating efforts by enterprises to keep their employees safe. The Menlo Security research revealed that while 96.7% of all user-initiated web visits are being served over https, only 57.7% of the URL links in emails turn out to be https, which means that web proxies or firewall will be oblivious to the threats unless enterprises turn on SSL inspection.

Let's Encrypt planned to revoke more than 3 million TLS certificates on Wednesday after it discovered a bug that allowed an important security check performed during TLS issuance to be bypassed. On March 4, we will revoke 2.6% of currently active Let's Encrypt certificates.

Free and open certificate authority Let's Encrypt has decided that it will not revoke one million of the certificates affected by the recent CAA recheck bug. A total of 3,048,289 certificates were supposed to be revoked, but Let's Encrypt ultimately decided to leave 1 million of them unreplaced at this time.

Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an "Install" button pointing to the malware. The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users' desire to keep themselves safe online.

Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them. The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

In the past, there were two main reasons: TLS certificates were complicated and time-consuming to acquire and use; and they cost money that sites such as charities, hobbyists and small businesses resented having to pay, especially given that certificates need renewing regularly. Let's Encrypt certificates are valid for 90 days, and autorenew for most users when there are 30 days or fewer left on their current certificates.

Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code. Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."

On Wednesday, March 4, Let's Encrypt - the free, automated digital certificate authority - will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs. In a post to the service's online forum on Saturday, Jacob Hoffman-Andrews, senior staff technologist at the EFF, said a bug had been found in the code for Boulder, Let's Encrypt's automated certificate management environment.