{"id":2326,"date":"2020-03-06T11:19:24","date_gmt":"2020-03-06T09:19:24","guid":{"rendered":"https:\/\/www.bnamed.blog\/en\/?p=2326"},"modified":"2020-03-06T11:28:59","modified_gmt":"2020-03-06T09:28:59","slug":"lets-encrypt-to-revoke-3","status":"publish","type":"post","link":"https:\/\/www.bnamed.blog\/en\/2020\/03\/lets-encrypt-to-revoke-3\/","title":{"rendered":"Let&#8217;s encrypt to revoke 3 million certificates&#8230; or not"},"content":{"rendered":"<p><img decoding=\"async\" loading=\"lazy\" class=\"alignright size-full wp-image-2334\" src=\"https:\/\/www.bnamed.blog\/en\/wp-content\/uploads\/2020\/03\/lets-encrypt-logo-klein-1.png\" alt=\"\" width=\"214\" height=\"73\" \/>Only about a month ago we reported about a <a href=\"https:\/\/www.bnamed.blog\/en\/2020\/01\/sectigo-starts-major-recall-on-ev-certificates\/\">big recall of certificates organised by Sectigo<\/a>. They would be revoking about 6000 certificates, mostly owned by Dutch companies. They gave a 6-day notice.<br \/>\nLet&#8217;s encrypt just responded with &#8220;hold my beer&#8221;, announcing to revoke 3 million certificates with only a 5-day notice.<\/p>\n<p><!--more--><\/p>\n<p>On the last day of February, a bug was found and fixed which could have caused certificates to be issued while one of the verifications was out-dated. Before a certificate can be issued, you have to proof you manage the domain name or webhosting. This check was always carried out correctly. But a second check also verifies if a so-called &#8220;CAA&#8221; record is set on the domain name. If it is, then only the certificate authorities listed in that record may issue a certificate. Let&#8217;s Encrypt would not check the CAA-record for every single certificate, but remembered the previous information for up to 30 days.<\/p>\n<p>Because this was not completely correct according to the rules of the CA\/B forum (the organisation setting the very strict rules for certificate authorities), they announced all certificates for which the CAA-record had been verified more than 8 hours before the certificate was issued, would be revoked. About 2,6% of all certificates issued by Let&#8217;s Encrypt were affected. That&#8217;s about 3 million certificates which would be revoked within only 5 days after the announcement.<\/p>\n<p>All users had very little time to take action and to request a new certificate. On the dead-line only about half of them had gotten their certificate re-issued. Last-minute Let&#8217;s Encrypt decided that revocation wasn&#8217;t so urgent after all and only revoked certificates for which a new certificate had already been requested.<\/p>\n<p>Both with Sectigo as with Let&#8217;s Encrypt, a reasonably small bug was at the cause of the revocations. The chance of actual harm was very small. It&#8217;s hard not to assume that Let&#8217;s Encrypt has the flexibility not to revoke within the initial dead-line because the two most influential member of the CA\/B forum (Mozilla\/Firefox and Google\/Chrome) are also listed as some of the biggest sponsors of Let&#8217;s Encrypt.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Only about a month ago we reported about a big recall of certificates organised by Sectigo. They would be revoking about 6000 certificates, mostly owned by Dutch companies. They gave a 6-day notice. Let&#8217;s encrypt just responded with &#8220;hold my beer&#8221;, announcing to revoke 3 million certificates with only a 5-day notice.<\/p>\n","protected":false},"author":1,"featured_media":2335,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/posts\/2326"}],"collection":[{"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/comments?post=2326"}],"version-history":[{"count":8,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/posts\/2326\/revisions"}],"predecessor-version":[{"id":2339,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/posts\/2326\/revisions\/2339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/media\/2335"}],"wp:attachment":[{"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/media?parent=2326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/categories?post=2326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bnamed.blog\/en\/wp-json\/wp\/v2\/tags?post=2326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}