LET’S ENCRYPT REVOKED 3 MILLION TLS CERTIFICATES

Learn about the recent Let's Encrypt incident where 3 million TLS certificates were revoked. Stay informed and safeguard your online presence effectively.
lets-encrypt-revoked-3million-tls-certificates

Table of Contents

LET’S ENCRYPT REVOKED 3 MILLION TLS CERTIFICATES ON MARCH 4th, 2020

Let’s Encrypt revoked over 3 million certificates on March 4th, Wednesday because of a bug in a domain validation and issuance software. A software bug in the Certificate Authority (CA) software project by Let’s Encrypt project caused some of the certificates to not get validated through the Certificate Authority Authorization (CAA) which was configured for an associated domain.

CAA is basically a security feature that allows the domain administrators to create a DNS record that restricts the certificate authorities to issue certificates for that specific domain. The domain owners can add a ‘CAA field’ to their domain’s DNS records. Only the CA listed in the CAA field can actually issue a TLS certificate for that domain.

The certificate authorities such as Let’s Encrypt are supposed to follow the CAA specification by the law or they have to deal with serious penalties from the browser makers. Let’s Encrypt project disclosed on February 29th, Saturday that there has been a bug in Boulder which ignores CAA  checks. In an official report issued by Let’s Encrypt, they described the bug as follows:

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

The team of Let’s Encrypt patched the bug on Saturday itself in the two hours maintenance window and the result of which is that Boulder is now verifying CAA fields properly before issuing any new certificates.

However, Let’s Encrypt mentioned that it was highly unlikely that someone exploited the bug but they were still revoking all the certificates that were issued without proper CAA checks. This was to follow industry rules as dictated by the CA/B Forum.

3 MILLION OF 116 MILLION CERTIFICATES WERE IMPACTED:

The engineers of Let’s Encrypt team disclosed that out of the 116 million TLS (Transport Layer Security) Certificates, only around 2.6% were actually impacted by the issue while representing a total of 3, 048,289 certificates.

Out of these 3 million certificates, over one million were duplicate for the same domain/subdomain putting the actual number of impacted certificates in the line of 2 million certificates roughly.

Due to the manner in which this software bug operated, some of the most commonly affected certificates were the ones that were reissued frequently. This is the reason why so many certificates are duplicates. As a result of which, Let’s Encrypt revoke all affected certificates on March 4, 2020.

Following this date, all the affected certificates will trigger some errors in browsers and other kinds of applications. Therefore, the domain owners have requested a new kind of TLS certificate while replacing the old one. Let’s Encrypt notified all the affected domain owners through emails.

The system administrators and the webmasters who are presently using the Let’s Encrypt certificates for their particular networks and servers have the ability to check the list of serial numbers of affected TLS certificates. In addition, they can also visit a website to check if their website has been impacted just by entering their domain name.

Until last week only, Let’s Encrypt announced issuing around one-billionth free TLS certificates making it one of the most successful CA up to date. In the last five years of history, the Let’s Encrypt project has actually managed to stay free of major problems. However, some of the platform-specific bugs have been reported sometimes. This time, Let’s Encrypt is clearly advising the users to renew their impacted certificates.

Have A Project in Mind?
Chat with Our Experts.

Got a Project in Mind?

Awards & Recognition

27114 6
USA

570 E WILLIAM ST San Jose, 
CA 95112

27114 1
Canada

325 FRONT STREET WEST,
 TORONTO, CANADA, M5V 2Y1

27116 1
Australia

Suite 6, 220 Northumberland St Liverpool, NSW 2170

New-zealand-flag-icon
New Zealand

14A Arcadia Road Epsom, Auckland

27130 1
India

D-199, Sector 74 Mohali, 
 Punjab, India - 160055

Copyright © 2024 Orion eSolutions. All Rights Reserved.

Copyright © 2024 Orion eSolutions. All Rights Reserved.

Book Now
By Clicking "Accept All Cookies" ,you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. More information  View more
Cookies settings
Accept All Cookies
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Privacy Policy

At Orion eSolutions, accessible from https://orionesolutions.com, one of our main priorities is the privacy of our visitors. This Privacy Policy document contains types of information that is collected and recorded by Orion eSolutions and how we use it.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect in Orion eSolutions. This policy is not applicable to any information collected offline or via channels other than this website.

Consent

By using our website, you hereby consent to our Privacy Policy and agree to its terms.

Information we collect

The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.

If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

When you register for an Account, we may ask for your contact information, including items such as name, company name, address, email address, and telephone number.

How we use your information

We use the information we collect in various ways, including to:

  • Provide, operate, and maintain our webste
  • Improve, personalize, and expand our webste
  • Understand and analyze how you use our webste
  • Develop new products, services, features, and functionality
  • Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the webste, and for marketing and promotional purposes
  • Send you emails
  • Find and prevent fraud

Log Files

Orion eSolutions follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.

Cookies and Web Beacons

Like any other website, Orion eSolutions uses ‘cookies’. These cookies are used to store information including visitors’ preferences, and the pages on the website that the visitor accessed or visited. The information is used to optimize the users’ experience by customizing our web page content based on visitors’ browser type and/or other information.

Advertising Partners Privacy Policies

You may consult this list to find the Privacy Policy for each of the advertising partners of Orion eSolutions.

Third-party ad servers or ad networks uses technologies like cookies, JavaScript, or Web Beacons that are used in their respective advertisements and links that appear on Orion eSolutions, which are sent directly to users’ browser. They automatically receive your IP address when this occurs. These technologies are used to measure the effectiveness of their advertising campaigns and/or to personalize the advertising content that you see on websites that you visit.

Note that Orion eSolutions has no access to or control over these cookies that are used by third-party advertisers.

Third Party Privacy Policies

Orion eSolutions’s Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may include their practices and instructions about how to opt-out of certain options. You may find a complete list of these Privacy Policies and their links here: Privacy Policy Links.

You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites. What Are Cookies?

CCPA Privacy Rights (Do Not Sell My Personal Information)

Under the CCPA, among other rights, California consumers have the right to:

Request that a business that collects a consumer’s personal data disclose the categories and specific pieces of personal data that a business has collected about consumers.

Request that a business delete any personal data about the consumer that a business has collected.

Request that a business that sells a consumer’s personal data, not sell the consumer’s personal data.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.

The right to erasure – You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

Children’s Information

Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity.

Orion eSolutions does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.

Save settings
Cookies settings