Let’s Encrypt is one of the popular platforms issuing free SSL certificates to websites. The NPO has just announced that an internal bug caused over 3 million certificates being issued with improper checking, causing the issuer to revoke them all March 4th as a security practise.
An internal bug impacted the Boulder, a server software of Let’s Encrypt used for verifying users and their domains before issuing certificates. More specifically, the bug affected the CAA (Certificate Authority Authorization) standard in Boulder, which ignored these checks before issuing certificates.
Faulty checks
Jacob Hoffman at Bugzilla, who reposted the Let’s Encrypt engineer’s report as,
“when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”
The platform has detected the bug was introduced first on 25th July 2019, and have confirmed on February 2020. They are currently investigating the matter in detail to know more information. The team has worked enough to rectify the mistake immediately. Soon after identifying the bug, they stopped issuing certificates and fixed the bug you resume in just two hours!
Revoking over 3 million certificates
As of now, the service is sending emails to those who are deemed to be affected, and even prepared an FAQ thread to answer questions. Let’s Encrypt believes the bug wasn’t exploited by any but decided to revoke all those certificates issued by Boulder during this period. On March 4th 2020, Let’s Encrypt will revoke about 3,048,289 TLS certificates as a security practise. All those who got their certificates revoked, should reapply.
