The most popular free certificate signing authority “Let's Encrypt” is going to revoke more than 3 million website security certificates that may have been issued wrongfully due to a bug in its Certificate Authority software.
As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name.
The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name.
This means that Let's Encrypt might have issued certificates that it shouldn't have in the first place, as a result of which it's revoking all the TLS certificates that were affected by the bug.
The development comes as Let's Encrypt project announced last week that it had issued its one-billionth free TLS certificate since its launch in 2015.
Let's Encrypt said 2.6 percent of approximately 116 million active certificates are affected — about 3,048,289 — out of which about one million are duplicates of other affected certificates.
Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.
But with Let's Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.
Besides using the tool https://checkhost.unboundtest.com/ to check if a certificate needs replacement, Let's Encrypt has put together a downloadable list of affected serial numbers, allowing subscribers to check if their websites rely on an affected certificate.
Update: Let's Encrypt Postpones Certificate Revocation
In the latest post, Let's Encrypt team confirmed that over 1.7 million affected certificates have already been replaced before the initial deadline, and also been revoked by their system.
However, the company has now decided to postpone the certificate revocation process for over 1 million certificates, which it believes more likely will not be replaced before the compliance deadline.
That's because Let's Encrypt is not willing to break so many websites and cause inconvenience for their visitors.
It also hinted, though the vast majority of the wrongfully issued certificates do not pose a security risk, they still initially decided to revoke all 3 million certificates to comply with the industry standards.
March 04, 2020 Ravie Lakshmanan
https://thehackernews.com/2020/03/lets-encrypt-certificate-revocation.html
