Lädt...

📰 Let's Encrypt Discovers CAA Bug, Must Revoke Customer Certificates


Nachrichtenbereich: 📰 IT Security Nachrichten
🔗 Quelle: it.slashdot.org

rufey writes: The free SSL certificate provider Let's Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let's Encrypt uses. Ars Technica reports: "Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain. The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation -- but CAA records specifically must be checked no more than eight hours prior to certificate issuance. The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance. Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4. Users whose certificates are scheduled to be revoked will need to manually force-renewal before then. If an admin does not perform this manual renewal step, browsers reaching their websites will show TLS security warnings due to the revoked certificates. Let's Encrypt certificates are issued for 90-day intervals, and Certbot automatically renews them only when 30 days or less are left on the cert -- so this could mean roughly two months of browser errors if the manual forced renewal isn't performed." The CAB Forum, which oversees the public CAA space, has a ticket for this specific issue. According to a community post on Let's Encrypt's website, 3,048,289 of the ~116 million overall active Let's Encrypt certificates are affected.

Read more of this story at Slashdot.

...

📰 Let's Encrypt Discovers CAA Bug, Must Revoke Customer Certificates


📈 120.2 Punkte
📰 IT Security Nachrichten

📰 Bug Forces Let's Encrypt to Revoke 3 Million Certificates


📈 59.92 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt Says It Will Revoke 3M Certificates Due to Software Bug


📈 59.92 Punkte
📰 IT Security Nachrichten

🕵️ Let's Encrypt to revoke 3 million certificates on March 4 due to software bug


📈 59.92 Punkte
🕵️ Hacking

📰 Let's Encrypt to Revoke 3 Million TLS Certificates Due to Bug


📈 59.92 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt Pushes Back Deadline to Revoke Some TLS Certificates


📈 54.48 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt will revoke 3m+ TLS/SSL certificates


📈 54.48 Punkte
📰 IT Security Nachrichten

🕵️ Endless Hosting: Lets Encrypt Certificates affected by CAA Rechecking Incident


📈 50.86 Punkte
🕵️ Sicherheitslücken

📰 CAA-Fehler: Let's-Encrypt-Zertifikate werden nicht sofort zurückgezogen


📈 45.82 Punkte
📰 IT Security Nachrichten

📰 2020.02.29 CAA Rechecking Bug - 3 million certificates will be removed on March 4


📈 43.97 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt to Revoke Millions of TLS Certs


📈 41.47 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt Won't Revoke Certificate Used in Malware (January 7, 2016)


📈 41.47 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt Won't Revoke Certificate Used in Malware (January 7, 2016)


📈 41.47 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt Will Not Replace 1 Million Bug-Affected Certificates


📈 38.74 Punkte
📰 IT Security Nachrichten

🕵️ Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug


📈 38.74 Punkte
🕵️ Hacking

📰 Let's Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug


📈 38.74 Punkte
📰 IT Security Nachrichten

🕵️ Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug


📈 38.74 Punkte
🕵️ Hacking

📰 DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight


📈 34.18 Punkte
📰 IT Security Nachrichten

🕵️ DigiCert to Revoke Thousands of Certificates Following Domain Validation Error


📈 34.18 Punkte
🕵️ Hacking

🕵️ DigiCert to Revoke Thousands of Certificates Following Domain Validation Error


📈 34.18 Punkte
🕵️ Hacking

📰 Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates


📈 34.18 Punkte
📰 IT Security Nachrichten

📰 Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates


📈 34.18 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt Is Now Officially Trusted by All Major Root Certificates


📈 33.3 Punkte
📰 IT Security Nachrichten

🔧 How to use Let's Encrypt certificates with Keycloak


📈 33.3 Punkte
🔧 Programmierung

🎥 Fast, Easy and Free SSL Certificates with Let's Encrypt - Hak5 2023


📈 33.3 Punkte
🎥 IT Security Video

📰 Let's Encrypt free wildcard certificates now live


📈 33.3 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt issued over 3 billion certificates, securing 309M sites for free


📈 33.3 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt free wildcard certificates now live


📈 33.3 Punkte
📰 IT Security Nachrichten

📰 Let’s Encrypt Gears Up to Replace 200M Certificates a Day


📈 33.3 Punkte
📰 IT Security Nachrichten

📰 Let's Encrypt Wildcard Certificates a 'Boon' for Cybercriminals, Expert Says


📈 33.3 Punkte
📰 IT Security Nachrichten

🐧 Certificates from Let's Encrypt (R3 active)


📈 33.3 Punkte
🐧 Linux Tipps

📰 The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains


📈 33.3 Punkte
📰 IT Security Nachrichten

matomo