Skip to main content

Millions of websites put at risk after encryption fault

Person looking at website on laptop
(Image credit: Pexels)

The Let's Encrypt project has announced that it will revoke more than three million TLS certificates after a bug was discovered in its Certification Authority Authorization (CAA) code.

The bug impacts the server software used by Let's Encrypt, called Boulder, which allows the project to verify users and their domains before a TLS certificate can be issued. Let's Encrypt has decided to revoke the TLS certificates because the implementation of the CAA specification inside Boulder was affected by the bug.

CAA is a security standard that was approved back in 2017. It allows domain owners to prevent the organizations that issue TLS certificates, called Certificate Authorities (CAs), from issuing certificates for their domains.

By adding a “CAA field” to a domain's DNS records, a domain owner can make it so that only the CA listed in the CAA field has the ability to issue a TLS certificate for their domain. Certificate Authorities, such as Let's Encrypt, are required to follow the CAA specification exactly or they could risk facing penalties from browser makers.

Revoking TLS certificates

After becoming aware of the issue, Let's Encrypt engineer Jacob Hoffman-Andrews disclosed the fact that a bug in Boulder had led the server software to ignore CAA checks in a forum post, saying:

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

The Let's Encrypt project worked quickly to patch the bug over the weekend and Boulder is now able to verify CAA fields properly before issuing any new certificates. Thankfully, it is very unlikely that someone exploited the bug, according to the project.

As of today, the Let's Encrypt project has revoked all of the certificates that were issued without proper CAA checks. Now all of the impacted certificates will trigger security errors in browsers until domain owners make a request for a new TLS certificate to replace the old one.

Via ZDNet