A certificate authority named Let’s
Encrypt found a bug in code used to generate certificates and was forced to
revoke millions of certificates, leaving websites very little time for renewal.
When a user visits a site that has an
invalid certificate, a warning is displayed that it’s not safe. While it might
not pose a threat to people visiting the website, the affected pages will
project a feeling of insecurity to users, troubling businesses. A customer who
has no idea what a certificate is or why they’re being warned that it’s not
safe to be there could easily get spooked.
Let’s Encrypt is a non-profit
organization run by the Internet Security Research Group (ISRG) and backed by
major companies such as Mozilla, Cisco, the Electronic Frontier Foundation,
Google, and many others.
“Due to the 2020.02.29 CAA
Rechecking Bug 6.4k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL
certificates,” said
Let’s Encrypt in a community notice.
“2.6% of the total number of
certificates are affected. That is 3,048,289 currently-valid certificates are
affected, out of ~116 million overall active Let’s Encrypt certificates. Of the
affected certificates, about 1 million are duplicates of other affected
certificates, in the sense of covering the same set of domain names. Because of
the way this bug operated, the most commonly affected certificates were those
that are reissued very frequently, which is why so many affected certificates
are duplicates.”
The revocation started on March 4th and
took just a few hours, which gave some companies and people using certificates
from Let’s Encrypt very little time to get a new one before browsers started to
warn visitors about insecurity of their websites. Many websites were affected.
As online tool available right now allows
anyone to check if the certificate used in any website is among the duplicates.
The reissue process is easy and quick.