As of today (4 March), millions of websites could stop functioning properly, due to a bug affecting the digital certificates used to secure them.
Let’s Encrypt, the project from the non-profit internet security research group (ISRG) that issues the certificates, said a bug meant that three million HTTPS certificates needed to be revoked.
Clients of the free digital certificate authority were warned they had up to 0000 UTC on March 4 to renew and replace affected certificates, but a forum for the service reveals that some site admins are struggling to do so.
Let’s Encrypt celebrated issuing their one billionth certificate last month, but only 116 million of these are currently active. Of those, three million were affected by the bug before the organisation had a chance to patch it during a two hour maintenance period on Saturday. Of these 3 million, one million are duplicates for the same domain or subdomain, meaning the actual number of impacted certificates is roughly 2 million.
“It’s a small percentage, and if websites are paying attention and on the ball, it should be relatively easy to update,” says Alan Woodward, professor of computer science at the University of Surrey.
However, the update won’t happen automatically, meaning that site managers will have to be proactive. For less attentive system administrators, or those struggling to execute the update, a lack of action will result in visitors to the website being greeted with a message decreeing the site as “insecure”.
This is because if a site says it’s using the TLS security protocol, most browsers will check whether its certificate is valid and warn users if it’s not.
“That’s the worry – not that there is a security threat, but that there may be a loss of trust for the user, especially if it affects well-known brands,” says Woodward.
The bug was found in Boulder, the server software the Let’s Encrypt project uses to verify users and their domains before issuing a TLS certificate, according to a post on the service’s online forum by a Let’s Encrypt engineer.
The bug impacted the implementation of the CAA (Certificate Authority Authorisation) specification inside Boulder – a security standard that allows domain owners to prevent Certificate Authorities from issuing certificates for their domains.
Whoever first registers a domain can designate a certificate authority that has the right to issue the certificate for it, to prevent impersonators.
Theoretically, if the Let’s Encrypt flaw was exploited, it would allow someone to set up an already established domain name with a valid TLS certificate. Let’s Encrypt has reported that it’s unlikely the flaw was exploited, but has decided to revoke all the certificates that weren’t subjected to the appropriate CAA checks.
“In some ways, Let’s Encrypt are exercising an abundance of caution, because the chance of someone exploiting that is really quite small,” says Woodward. “They might end up causing disruption when there needn’t have been.”
These types of attacks are very uncommon, but can be disastrous for the reputation of the certificate authority in question.
DigiNotar, a Dutch certificate authority, was forced to file for bankruptcy in 2011 after a major hack decimated trust in the service.
“This is all based on trust,” says Woodward. If trust in the organisation issuing the certificates takes a hit, it might make organisations less willing to use it in future – this is the type of reputational risk Let’s Encrypt could suffer from.
However, Let’s Encrypt has been a champion of the HTTPS security protocol which is now used by over 50 per cent of websites on the internet. “If anything, it shows how important Let’s Encrypt has become as part of web infrastructure,” says Woodward.
In its five years of being operational, this is the first time the project has been forced to revoke certificates.
The post Let’s Encrypt bug could harm trust in thousands of websites appeared first on NS Tech.