{"id":18138,"date":"2022-02-02T11:11:15","date_gmt":"2022-02-02T19:11:15","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11871\/"},"modified":"2022-02-02T11:11:15","modified_gmt":"2022-02-02T19:11:15","slug":"news-11871","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11871\/","title":{"rendered":"Let&#8217;s Encrypt to revoke &#8220;mis-issued&#8221; certificates"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 27 Jan 2022 21:44:42 +0000<\/strong><\/p>\n<p>If you use a Let\u2019s Encrypt SSL\/TLS certificate, you may wish to check your account over the coming days. Revocation is coming, and you\u2019ve only got until tomorrow to figure things out.<\/p>\n<h2>What\u2019s the deal with free certificates?<\/h2>\n<p>If you\u2019re running a website, you want to make sure that it\u2019s HTTPs. It means the visitor&#8217;s connection to the site is secure, and snoopers can\u2019t see what they\u2019re doing. This is good for you and most definitely good for them. Browsers typically let you know the site is secure by displaying a padlock in your URL bar.<\/p>\n<p>It used to be fairly expensive to get your hands on a HTTPs certificate, and for years there were problems with using custom domains on certain services. Try as you might, certificates simply wouldn\u2019t work in some cases.<\/p>\n<p>It\u2019s a lot easier these days, and a lot cheaper too. How cheap? Well, <a href=\"https:\/\/letsencrypt.org\/about\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">free<\/a> can definitely be considered cheap.<\/p>\n<p>There\u2019s quite a few providers out there offering free HTTPs, and this is a good thing. The onset of mass free HTTPS certificates has, interestingly, meant a few tweaks being applied to infosec advice realms. For example, many organisations now point out that the free certs boom means a rise in phishing sites using HTTPs, so you mustn&#8217;t let your guard down. Even so, having more sites with HTTPs than without is a baseline we should be striving for.<\/p>\n<h2>What\u2019s happened with Let\u2019s Encrypt?<\/h2>\n<p>Emails started landing in customer mailboxes the past few days, like so:<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">oops&#8230; letsencrypt is gonna revoke all certificates that were generated using TLS-ALPN-01.. time to renew certs.. :\/ <a href=\"https:\/\/t.co\/wYjGZkQnJJ\">pic.twitter.com\/wYjGZkQnJJ<\/a><\/p>\n<p>&mdash; stypr (@stereotype32) <a href=\"https:\/\/twitter.com\/stereotype32\/status\/1486245346678231040?ref_src=twsrc%5Etfw\">January 26, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>The mail reads as follows:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p><em>Please immediately renew your TLS certificate(s) that were issued from Let\u2019s Encrypt using the TLS-ALPN-01 validation method.<\/em><\/p>\n<p><em>We\u2019ve determined that an error made it possible for TLS-ALPN-01 challenges, completed before today, to not comply with certificate issuance requirements. We have remediated this problem and will revoke all unexpired certificates that used this validation method at 16:00 UTC on 28 January 2022. Please renew your certificates now to ensure an uninterrupted experience for your site visitors.<\/em><\/p>\n<\/blockquote>\n<p>At the same time, the Let\u2019s Encrypt team posted up an <a href=\"https:\/\/community.letsencrypt.org\/t\/2022-01-25-issue-with-tls-alpn-01-validation-method\/170450\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">initial notification<\/a> about what had taken place.<\/p>\n<blockquote class=\"wp-block-quote\">\n<p><em>At 16:48 UTC on Tuesday Jan 25, 2022, a third party informed Let\u2019s Encrypt \/ ISRG that, while examining the Boulder codebase, they had noticed two instances of specification non-compliance in our implementation of the \u201cTLS Using ALPN\u201d validation method.<\/em><\/p>\n<p><em>All active certificates that were issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued. In compliance with the Let\u2019s Encrypt CP, we have 5-days to revoke and will begin to revoke certificates at 16:00 UTC on 28 January 2022. We estimate &lt;1% of active certificates are affected.<\/em><\/p>\n<\/blockquote>\n<p>It\u2019s worth highlighting that you may be affected even if you don\u2019t have a valid mail address on file. They also have a longer thread complete with questions and answers in the <a href=\"https:\/\/community.letsencrypt.org\/t\/questions-about-renewing-before-tls-alpn-01-revocations\/170449\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">comments section<\/a>.<\/p>\n<h2>The numbers game<\/h2>\n<p>They mention that fewer than 1% of active certificates are affected. However, Bleeping Computer has done some digging into numbers and the impact <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">may still be pretty big<\/a>. According to their statistics, active certificates \u201csurpassed 221 million\u201d as of November 2021 so 1% of that is not to be laughed at.<\/p>\n<p>Users of free SSL services are typically used to <a href=\"https:\/\/techcrunch.com\/2021\/09\/21\/lets-encrypt-root-expiry\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ongoing notifications<\/a> about problems and issues. With any luck, they\u2019ll be just as prepared for this one. That being said, if you use the service mentioned above and this is the first you\u2019ve heard about it, you may wish to get a move on and dig into the issue sooner rather than later.<\/p>\n<p>The clock is most definitely ticking, and you&#8217;ve only got one more day to get your certificate affairs in order.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/01\/lets-encrypt-to-revoke-mis-issued-certificates\/\">Let&#8217;s Encrypt to revoke &#8220;mis-issued&#8221; certificates<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/01\/lets-encrypt-to-revoke-mis-issued-certificates\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 27 Jan 2022 21:44:42 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/01\/lets-encrypt-to-revoke-mis-issued-certificates\/' title='Let's Encrypt to revoke \"mis-issued\" certificates'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2021\/07\/GettyImages-1272564863.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In one day&#8217;s time, Let&#8217;s Encrypt will begin revoking a number of mis-issued certificates. Check now if you&#8217;re affected<\/p>\n<p>Categories: <a href=\"https:\/\/blog.malwarebytes.com\/category\/privacy-2\/\" rel=\"category tag\">Privacy<\/a><\/p>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/certificate\/\" rel=\"tag\">certificate<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/security\/\" rel=\"tag\">security<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ssl\/\" rel=\"tag\">SSL<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tls\/\" rel=\"tag\">TLS<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/website\/\" rel=\"tag\">website<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/01\/lets-encrypt-to-revoke-mis-issued-certificates\/' title='Let's Encrypt to revoke \"mis-issued\" certificates'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/01\/lets-encrypt-to-revoke-mis-issued-certificates\/\">Let&#8217;s Encrypt to revoke &#8220;mis-issued&#8221; certificates<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11476,5897,714,17203,11309,12129],"class_list":["post-18138","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-certificate","tag-privacy","tag-security","tag-ssl","tag-tls","tag-website"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18138"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18138\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}