Web application security specialists reported the finding of a security flaw in the CAA authorization code of the Let’s Encrypt Certification Authority (CA); the vulnerability creates a time window in which it is possible to issue a certificate even if the CAA record in the DNS of the domain should prohibit it. The flaw forced Let’s Encrypt to revoke any certificate that may have been issued in a non-legitimate manner.
In a statement, the CA mentioned: “Unfortunately we must revoke all affected certificates, which could include one or more of each user’s certificates. To avoid disruption, you must renew and replace the affected certificates before the end of March 4; we offer our sincere apologies for the incident.”
According to web application security experts, sites where affected certificates are not renewed and replaced in time will display warning messages to visitors until the certificates are renewed.
Let’s Encrypt uses Boulder CA software, a web server that uses Let’s Encrypt and works for multiple separate domain names receives a unique LE certificate, which protects all domain names on the server, rather than using a certificate for each domain. The reported bug is that instead of verifying each domain name separately for valid CAA records, Boulder verifies one of the domains once per each domain on the server.
As a result, it is generated a 30-day period in which Let’s Encrypt can issue certificates to a particular web server regardless of the presence of CAA records that, under normal conditions, would prohibit its issuance, as mentioned by web application security specialists.
It is a fact that multiple certificates were issued when they should not have been, so Let’s Encrypt opted for the revocation of certificates that were not properly verified; in this situation, users should force the manual renewal of their certificates to eliminate the security risk. The steps for manually renewing certificates can be found on the official Let’s Encrypt platforms.
According to the International Institute of Cyber Security (IICS), site administrators should hurry to perform this manual procedure. Otherwise, the affected websites could reduce their visitor’s average significantly due to the certification authority’s security warnings.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
