Millions of websites put at risk after encryption fault

Person looking at website on laptop
(Image credit: Pexels)

The Let's Encrypt project has announced that it will revoke more than three million TLS certificates after a bug was discovered in its Certification Authority Authorization (CAA) code.

The bug impacts the server software used by Let's Encrypt, called Boulder, which allows the project to verify users and their domains before a TLS certificate can be issued. Let's Encrypt has decided to revoke the TLS certificates because the implementation of the CAA specification inside Boulder was affected by the bug.

CAA is a security standard that was approved back in 2017. It allows domain owners to prevent the organizations that issue TLS certificates, called Certificate Authorities (CAs), from issuing certificates for their domains.

By adding a “CAA field” to a domain's DNS records, a domain owner can make it so that only the CA listed in the CAA field has the ability to issue a TLS certificate for their domain. Certificate Authorities, such as Let's Encrypt, are required to follow the CAA specification exactly or they could risk facing penalties from browser makers.

Revoking TLS certificates

After becoming aware of the issue, Let's Encrypt engineer Jacob Hoffman-Andrews disclosed the fact that a bug in Boulder had led the server software to ignore CAA checks in a forum post, saying:

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

The Let's Encrypt project worked quickly to patch the bug over the weekend and Boulder is now able to verify CAA fields properly before issuing any new certificates. Thankfully, it is very unlikely that someone exploited the bug, according to the project.

As of today, the Let's Encrypt project has revoked all of the certificates that were issued without proper CAA checks. Now all of the impacted certificates will trigger security errors in browsers until domain owners make a request for a new TLS certificate to replace the old one.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April
A close up of the limited edition vinyl turntable wrist watch from AndoAndoAndo
This limited-edition timepiece turns the iconic Technics SL-1200 turntable into a watch, and I want one