The popular free Certificate Authority (CA), Let’s Encrypt, will be revoking mil-lions of certificates that enable Transport Layer Security (TLS), the subsequent protection of data between machines, and the positive identification of services for their customers. Digital certificates bind a public cryptographic key to a name. It binds it to a domain name in the case of web traffic utilizing the HTTPS protocol. This binding happens when a CA, also known as an issuer, certifies that the entity claiming ownership over the domain has control over the do-main in question.
The CA announced this revocation just 24 hours prior and sent notifications out to the users affected informing them that on Wednesday 03/04/20 the digital certificates would be revoked. Let’s Encrypt explained in its announcement that the revocation was due to an error in its domain validation checking software.
Let’s Encrypt is a free certificate issuance organization that has become wildly popular and accepted for issuing certificates. It can do this because it auto-mates and simplifies the issuance and renewal process for certificates. The automation code used by Let’s Encrypt to validate a domain is essential to the integrity of certificates that it issues. Unfortunately, a bug in this code was dis-covered, casting doubt on the legitimacy of millions of TLS certificates. Let’s Encrypt claims to secure 190 million websites. This bug affects 3 million certificates which, according to Let’s Encrypt, equates to around 12 million server names.
The bug was found in Certificate Authority Authorization (CAA) code which checks for CAA records at the same time it validates a subscriber’s control of a domain name. A problem in the CAA domain validation code allowed subscribers to submit N domains for validation and the CAA software, instead of validating each domain, would pick one domain and validate it N times. The bug could have potentially been exploited and looks like it has been exploited numerous times as Let’s Encrypt began analyzing the highest priority certificates and immediately revoked 445 certificates that had forbidden CAA records.
The issue for those using a revoked certificate, particularly businesses, is that users will see security warnings claiming that the site is not valid which could lead to lost sales and a damaged reputation. You can check for affected sites by downloading the list Let’s Encrypt provides on their website showing the affected domains.
Sources:
• https://threatpost.com/lets-encrypt-revoke-millions-tls-certs/153413/
• https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/3