Security News

Let's Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let's take time out
2020-03-05 20:58

Let's Encrypt has halted its plans to cancel all three million flawed web security certificates - after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.

Let’s Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
2020-03-05 11:29

Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them. The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.

Let's Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug
2020-03-05 05:36

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

Why 3 million Let’s Encrypt certificates are being killed off today
2020-03-04 15:33

In the past, there were two main reasons: TLS certificates were complicated and time-consuming to acquire and use; and they cost money that sites such as charities, hobbyists and small businesses resented having to pay, especially given that certificates need renewing regularly. Let's Encrypt certificates are valid for 90 days, and autorenew for most users when there are 30 days or fewer left on their current certificates.

Bug Forces Let's Encrypt to Revoke 3 Million Certificates
2020-03-04 13:15

Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code. Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.

Let's Encrypt Vulnerability
2020-03-04 12:46

"In a notification email to its clients, the organisation said:"We recently discovered a bug in the Let's Encrypt certificate authority code. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

Let’s Encrypt will revoke 3m+ TLS/SSL certificates
2020-03-04 12:00

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."

Let’s Encrypt to Revoke Millions of TLS Certs
2020-03-03 20:13

UPDATE. Popular free certificate authority Let's Encrypt said it will revoke 3 million Transport Layer Security certificates Wednesday, because of a Certificate Authority Authorization bug. Let's Encrypt explained on Tuesday it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.

Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikes
2020-03-03 19:44

On Wednesday, March 4, Let's Encrypt - the free, automated digital certificate authority - will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs. In a post to the service's online forum on Saturday, Jacob Hoffman-Andrews, senior staff technologist at the EFF, said a bug had been found in the code for Boulder, Let's Encrypt's automated certificate management environment.

Let’s Encrypt issues one billionth free certificate
2020-03-02 13:06

Last week was a big one for non-profit digital certificate project Let's Encrypt - it issued its billionth certificate. Publicly announced in November 2014, Let's Encrypt offers TLS certificates for free.