Bug in digital certificates could stop websites working

News by Rene Millman

Let’s Encrypt project revoked over three million digital certificates after discovering a flaw in its certificate authority code

The Let’s Encrypt project has been forced to revoke over three million digital certificates after discovering a flaw in its certificate authority code.

Let's Encrypt, which is run by the Internet Security Research Group (ISRG) with support from various technology companies, warned that the certificates need to be revoked after the ISRG discovered a vulnerability in the Boulder server software, which is used to verify users and their web domains before issuing them a certificate.

The problem happens when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.

What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt,” said a statement on the issue.

The organisations confirmed that bug on 29 February and stop issuing certificate at 3.00 am. It later deployed a fix at 05:22 UTC and then re-enabled issuance.

In an FAQ, Let’s Encrypt said that around 2.6 per cent of certificates were affected, or 3,048,289 currently-valid certificates.

Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates,” it said in a statement.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC), told SC Media UK that certificate revocation, while rare, does occur and web site owners should be prepared for this situation.

Assuming that any certificate will remain valid until its complete expiration date is unrealistic. While it is inconvenient to perform an emergency update, processes should be in place within an organisation to handle such scenarios,” he said.

Israel Barak, chief information security officer at Cybereason, told SC Media UK that there is an immediate established risk for Let's Encrypt's customers having their identity or the identity of their systems compromised, if an attacker produced bogus certificates or masquerades as a certificate provider.

My primary concern is why isn't my anchor of trust, the CA provider, in this case, Let's Encrypt, being transparent about what has happened? If they are being transparent, and we haven't seen their recommendations, I strongly urge all the customers to follow their protocol. Why aren't we seeing transparent information about the nature of the incident? Given the urgency, it can be either a security breach or a security vulnerability. At this stage, I would want to see more specifics so the companies can properly manage risk. Overall, no vendor in the industry is beyond having security vulnerability or incidents, but we are all measured on how we communicate and help our customers and partners manage risk,” he said.

Jake Moore, Cybersecurity Specialist at ESET, told SC Media UK that affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews