INSUBCONTINENT EXCLUSIVE:
The Let's Encrypt project has announced that it will revoke more than three million TLS certificates after a bug was discovered in its
Certification Authority Authorization (CAA) code.The bug impacts the server software used by Let's Encrypt, called Boulder, which allows
the project to verify users and their domains before a TLS certificate can be issued
Let's Encrypt has decided to revoke the TLS certificates because the implementation of the CAA specification inside Boulder was affected
by the bug.CAA is a security standard that was approved back in 2017
It allows domain owners to prevent the organizations that issue TLS certificates, called Certificate Authorities (CAs), from issuing
the CAA field has the ability to issue a TLS certificate for their domain
Certificate Authorities, such as Let's Encrypt, are required to follow the CAA specification exactly or they could risk facing penalties
from browser makers.After becoming aware of the issue, Let's Encrypt engineer Jacob Hoffman-Andrews disclosed the fact that a bug in
names that needed CAA rechecking, Boulder would pick one domain name and check it N times
What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed
the bug over the weekend and Boulder is now able to verify CAA fields properly before issuing any new certificates
Thankfully, it is very unlikely that someone exploited the bug, according to the project.As of today, the Let's Encrypt project has
revoked all of the certificates that were issued without proper CAA checks
Now all of the impacted certificates will trigger security errors in browsers until domain owners make a request for a new TLS certificate
to replace the old one.Via ZDNet
