CAA bug forces Let’s Encrypt to revoke millions of certificates

Posted on Wednesday, Mar 04 2020 @ 14:49 CET by Thomas De Maesschalck
Over the past decades, vast swathes of the Internet have moved to encryption. Web traffic was a bit of an issue for a lot of website owners because companies charged quite a bit of money for SSL certificates, but that changed a couple of years ago with the arrival of Let's Encrypt. This non-profit has Google, Facebook, Mozilla, Cisco, and others, as its sponsor and offers businesses and the general public free-to-use certificates.

Unfortunately, a bug in Let's Encrypt CAA (Certification Authority Authorization) code has forced the firm to revoke certificates. All Let's Encrypt certificates that might not have had proper CAA record checking will be revoked today.

Website owners will need to manually force renewal, otherwise browsers will start displaying TLS security warnings. Some website hosts will do this automatically for you.
Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation—but CAA records specifically must be checked no more than eight hours prior to certificate issuance.
In total, just over 3 million certificates are affected by this bug.

Via: ARS Technica


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments