.png)
Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software.
Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”
Nevertheless, affected certificate owners have been urged to renew and replace their certificate(s) so that their sites don’t end up showing this type of alert to visitors:
About the CAA rechecking bug
As explained by Let’s Encrypt engineer (and Senior Staff Technologist at EFF) Jacob Hoffman-Andrews, the software in question – named Boulder – checks for CAA records at the same time it validates a subscriber’s control of a domain name.
“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (…), so any domain name that was validated more than 8 hours ago requires rechecking,” he noted.
“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”
Of the 3 million+ certificates affected, about 1 million are duplicates of other affected certificates (i.e., they cover the same set of domain names).
Are you affected?
Let’s Encrypt, which is run by Internet Security Research Group (ISRG), has been emailing affected subscribers for whom they have contact information, but many might still not be aware of the situation. If they don’t manage to get a new, valid certificate in place before the revocation, visitors might end up losing trust in the safety of their websites.
The CA has provided a tool for checking whether one is using an affected certificate and additional instructions.
Security researcher Scott Helme has made available a list of affected domains.
from Help Net Security https://ift.tt/2IkKX0k
If you're looking to burn fat then you need to try this brand new personalized keto diet.
ReplyDeleteTo design this keto diet service, licensed nutritionists, personal trainers, and chefs have united to develop keto meal plans that are efficient, convenient, money-efficient, and delightful.
From their launch in 2019, 100's of individuals have already completely transformed their figure and health with the benefits a professional keto diet can offer.
Speaking of benefits; clicking this link, you'll discover 8 scientifically-tested ones offered by the keto diet.