Skip to main content

Posts

Showing posts from March 5, 2020

Let's Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug

The most popular free certificate signing authority  Let's Encrypt  is going to revoke more than 3 million TLS certificates within the next 24/48 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt  confirmed  on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates. As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name. The  Certification Authority Authorization  (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name. Let's Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record a...