7
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
The Let's Encrypt project has announced that it will revoke more than three million TLS certificates after a bug was discovered in its Certification Authority Authorization (CAA) code.The bug impacts the server software used by Let's Encrypt, called Boulder, which allows the project to verify users and their domains before a TLS certificate can be issued.
Let's Encrypt has decided to revoke the TLS certificates because the implementation of the CAA specification inside Boulder was affected by the bug.CAA is a security standard that was approved back in 2017.
It allows domain owners to prevent the organizations that issue TLS certificates, called Certificate Authorities (CAs), from issuing certificates for their domains.By adding a CAA field to a domain's DNS records, a domain owner can make it so that only the CA listed in the CAA field has the ability to issue a TLS certificate for their domain.
Certificate Authorities, such as Let's Encrypt, are required to follow the CAA specification exactly or they could risk facing penalties from browser makers.After becoming aware of the issue, Let's Encrypt engineer Jacob Hoffman-Andrews disclosed the fact that a bug in Boulder had led the server software to ignore CAA checks in a forum post, saying:The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.
What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Lets Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Lets Encrypt.The Let's Encrypt project worked quickly to patch the bug over the weekend and Boulder is now able to verify CAA fields properly before issuing any new certificates.
Thankfully, it is very unlikely that someone exploited the bug, according to the project.As of today, the Let's Encrypt project has revoked all of the certificates that were issued without proper CAA checks.
Now all of the impacted certificates will trigger security errors in browsers until domain owners make a request for a new TLS certificate to replace the old one.Via ZDNet
