Beginning today, Let's Encrypt is revoking more than 3 million of its Transport Layer Security (TLS) certificates, following the discovery of a bug that affects the way it rechecks CAA (Certificate Authority Authorization) records.
"Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days," explained Jacob Hoffman-Andrew, Let's Encrypt engineer, in a Feb. 29 post on the on-profit certificate authority's website. However, in cases where cert issuance is delayed for more than eight hours, Let's Encrypt must recheck CAA records, even though the records were originally checked during the domain control validation process. That's where the vulnerability comes into play.
Hoffman-Andrew described the bug, which was introduced on July 25, 2019, as follows: [W]hen a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.