• About
  • Advertise
  • Careers
  • Contact
Monday, March 20, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug

by Cyber360 News
March 4, 2020
in Security
0
Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug
0
SHARES
3
VIEWS
Share on FacebookShare on Twitter

Let’s Encrypt is going to revoke over 3 million certificates today due to a flaw in the software used to verify users and their domains before issuing a certificate.

Let’s Encrypt certificate authority (CA) is going to revoke over 3 million certificates today due to a vulnerability in software used to verify users and their domains before issuing a certificate.

A bug in Let’s Encrypt’s certificate authority (CA) software, dubbed Boulder, caused the correct validation for some certificates.

The bug impacted the way the CAA (Certificate Authority Authorization) specification is implemented by the Boulder.

The CAA security feature allows domain owners to prevent Certificate Authorities (CAs) to issue certificates for their domains.

Domain owners can add a “CAA field” to their domain’s DNS records, this implies that only the CA included in this field can issue a TLS certificate for that domain.

Every CA must check CAA records at most 8 hours before a certificate is issued for a certain domain, but the bug caused a domain on a multi-domain certificate to be checked numerous times rather than all the domains on the certificate being checked at the same time.

This behavior caused certificates to be issued without the proper CAA list for some domains.

“Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.” reads the advisory published by Let’s Encrypt.

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt,”

Let’s Encrypt is revoking 3,048,289 certificates,  ~116 million certificates (2.6%) are active.

The organization confirmed the bug at 2020-02-29 03:08 UTC, and two minutes later halted issuance. In a couple of hours (05:22 UTC) it fixed the problem and re-enabled issuance.

According to Let’s Encrypt, the bug was likely introduced on 2019-07-25.

The CA has reported the incident via email to the impacted users who must renew their certificates before they can become invalid.

Users can check if their domain is affected by this bug querying the tool at https://checkhost.unboundtest.com/. 

More information about the bug is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Let’s Encrypt)



Share On


Cyber360 News

Cyber360 News

Next Post
Huawei Announces Huawei Search App For Smartphones To Replace Google In Future

Huawei Announces Huawei Search App For Smartphones To Replace Google In Future

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In