Let’s Encrypt Revoking 3 Million Security Certificates via @martinibuster - Website Pro USA
Website Builder,SEO,Social Media Consultant, Hosting, Website Care Plans
41806
post-template-default,single,single-post,postid-41806,single-format-standard,theme-bridge,woocommerce-no-js,ajax_updown,page_not_loaded,,qode-content-sidebar-responsive,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-9.2,hide_inital_sticky,wpb-js-composer js-comp-ver-7.9,vc_responsive

Let’s Encrypt Revoking 3 Million Security Certificates via @martinibuster

03 Mar Let’s Encrypt Revoking 3 Million Security Certificates via @martinibuster

Posted at 08:20h in Business by
0 Likes
ADVERTISEMENT

Let’s Encrypt announced that a bug affecting over 3 million websites using their Let’s Encrypt security certificate. Let’s Encrypt is revoking over 3 million affected certificates on March 4, 2020.

Sites with revoked certificates may begin showing insecure icons in browser, which may result in less traffic and less sales. Affected site publishers will have to reapply for a new certificate in order to regain secure status.

ADVERTISEMENT
CONTINUE READING BELOW

Let’s Encrypt Announcement of Bug

Let’s Encrypt warned customers that it will revoke security certificates on March 4, 2020:

“Due to the 2020.02.29 CAA Rechecking Bug 5.6k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates.”

Certificates will begin being revoked at 3 PM EST.

Who is Affected by SSL Certificate Bug?

This bug affects 2.6% of publishers who rely on Let’s Encrypt for their security certificate. That equals over three million websites.

Emails have been sent to affected publishers.

If you have not received an email it’s still possible that you have been affected because the notice may not have been delivered for all the usual reasons (check your spam folder).

ADVERTISEMENT
CONTINUE READING BELOW

There is a way to check. The following web page has a diagnostic tool to identify if yours is one of the affected sites:

https://checkhost.unboundtest.com

Alternatively, you can download a list of all affected URLs here.

If your site is affected, this is the warning the tool will give to you:

lets encrypt buglets encrypt bugThis is the warning message you’ll receive if your Let’s Encrypt security certificate is affected and needs renewing.

According to the Let’s Encrypt announcement:

ADVERTISEMENT
CONTINUE READING BELOW

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.

What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance.”

No Comments

Sorry, the comment form is closed at this time.