Let’s Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.
The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software—discovered and patched this past Sunday–impacted the way its software checked domain ownership before issuing certificates. However, users grumbled that this was not enough time to correct the problem.
Users and major integrators of Let’s Encrypt managed to replace more than 1.7 million of the affected certificates by the original deadline; however, more than 1 million were left that would have been revoked, causing the company to rethink its plan, a Let’s Encrypt spokeswoman told Threatpost late Wednesday.
“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline,” Josh Aas, executive director for Let’s Encrypt said in a blog post updating users of the situation Wednesday.
The company’s plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as “445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let’s Encrypt,” Aas wrote in the post.
“We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users,” he wrote.
The deadline to revoke certificates left users of Let’s Encrypt certificates scrambling Wednesday to assess if site certificates needed updating and, if so, how to complete the task before they were revoked.
“In 1 minute, parts of the internet will stop working…around 2.6% of Lets Encrypt certs to be revoked in the next 7 hours,” Sean Hamlin, technical account manager and CDN integration specialist at open-source company Amazee.io, Tweeted Wednesday.
Later, when Let’s Encrypt changed its plan, he weighed in again on Twitter. “Looks like Lets Encrypt decided not to break the internet,” Hamlin wrote.
Indeed, if the certificates of millions of websites had been revoked, those websites and machine identities that rely on those certificates to protect sensitive data flow could be identified as insecure, or rendered unavailable.
However, the affect may not have been as dire as many Let’s Encrypt users feared, one security expert said Wednesday. While the number of certificates impacted is 3 million, the actual number of websites or machine identities affected would likely have been less, because of the way certificates are reissued and the fact that others are likely not currently in use, said Pratik Savla, senior security engineer at Venafi.
However, Savla concurred that safeguarding against the bug was a good idea, since it could open the door for a malicious attacker to take control of a TLS certificate on a website, allowing the hacker to eavesdrop on web traffic and gather sensitive data.
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
