Let’s Encrypt is a popular, free, and open-source Certificate Authority run by Internet Research Security Group (ISRG) with more than one billion certificates issued to websites worldwide. While no one denies the company’s enormous contribution to HTTPS adoption across the WEB, unfortunately, Let’s Encrypt certificates aren’t immune to bugs or malicious exploitation. The latest setback came when over three million certificates were affected by a bug and had to be revoked.
The culprit is the code that checks for a CCA (Certificate Authority Authorization) whenever a user renews their SSL certs to ensure the domain owner hasn’t imposed any restrictions on who can renew. As a result, owners of multiple domains were exposed to potential cyber-attacks due to Lets Encrypt’s automatic checks scanning only one domain and skipping the others.
Initially, Let’s Encrypt announced that it will be revoking around three million certificates to comply with the industry rules; however, in a quick U-turn, the company decided to leave more than 1 million SSL certificates active. Here’s what IRSG’s executive director had to say on the matter:
“Unfortunately, we believe it’s likely that more than 1 million certificates will not be replaced before the compliance deadline for revocation is upon. Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline.”
He went on to assure that potentially unrevoked certificates will expire soon.
“Let’s Encrypt only offers certificates with 90-day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly. We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to web users.”
The Let’s Encrypt bug, while not a disaster, highlights the frailty of free domain validation certificates and the importance of an efficient and reputable SSL certificate management. When hundreds or thousands of certificates are at stake, updating them manually is simply not an option. Certificate Authorities should ensure a trustworthy authorization and validation process, while companies must invest in tools that automate the issuance and management of SSL certificates.