Users have until February 13th to stop using TLS-SIN-01 in Let’s Encrypt

Due to security incidents, certifying authorities have decided to end the implementation of this protocol

Nearly year after a security incident allowed malicious users to claim encryption certificates from domains that did not belong to them, the certifying authority has decided to terminate the TLS-SIN-01 protocol lifecycle, as report by network security and ethical hacking specialists from the International Institute of Cyber Security.

At the beginning of last year, Let’s Encrypt, a free use certifying entity, found that validation based on TLS-SNI-01 and TLS-SNI-02, the future successor, could be exploited by malicious users. According to network security experts: “An attacker or group of attackers could, for example, find an orphaned domain name targeted at a hosting service and use the domain, with an unauthorized certificate to make fake pages seem more credible, without actually owning the domain”.

In theory, the SNI extension in the TLS protocol must validate the name presented by the server; this is a fundamental element, especially when a single IP address serves multiple websites. According to network security experts, the opportunity to exploit this error occurs if the hosting provider omits the verification of ownership of a web domain.

In response to this situation, Let’s Encrypt decided to end the life cycle of the TLS-SNI-01 protocol for its new registered accounts, although the developers decided to extend the support for the certificates issued prior to the announcement.

Let’s Encrypt announced that the deadline to stop using TLS-SIN-01 is next February 13, 2019, through an official statement.

Josh Aas, a cybersecurity specialist collaborating with Let’s Encrypt, commented in a blog post that system administrators who still use the TLS-SIN-01 protocol should switch to DNS-01 and HTTP-01 validation mechanisms.

“We apologize in advance for any inconvenience this may produce, but we believe this is the right decision to ensure the integrity of your web developments,” concluded the message of Aas.