A certificate authority named Let’s Encrypt found a bug in code used to generate certificates and was forced to revoke millions of certificates, leaving websites very little time for renewal.
When a user visits a site that has an invalid certificate, a warning is displayed that it’s not safe. While it might not pose a threat to people visiting the website, the affected pages will project a feeling of insecurity to users, troubling businesses. A customer who has no idea what a certificate is or why they’re being warned that it’s not safe to be there could easily get spooked.
Let’s Encrypt is a non-profit organization run by the Internet Security Research Group (ISRG) and backed by major companies such as Mozilla, Cisco, the Electronic Frontier Foundation, Google, and many others.
“Due to the 2020.02.29 CAA Rechecking Bug 6.4k, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates,” said Let’s Encrypt in a community notice.
“2.6% of the total number of certificates are affected. That is 3,048,289 currently-valid certificates are affected, out of ~116 million overall active Let’s Encrypt certificates. Of the affected certificates, about 1 million are duplicates of other affected certificates, in the sense of covering the same set of domain names. Because of the way this bug operated, the most commonly affected certificates were those that are reissued very frequently, which is why so many affected certificates are duplicates.”
The revocation started on March 4th and took just a few hours, which gave some companies and people using certificates from Let’s Encrypt very little time to get a new one before browsers started to warn visitors about insecurity of their websites. Many websites were affected.
As online tool available right now allows anyone to check if the certificate used in any website is among the duplicates. The reissue process is easy and quick.