SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Let’s Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.
The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software—discovered and patched this past Sunday–impacted the way its software checked domain ownership before issuing certificates. However, users grumbled that this was not enough time to correct the problem.
Users and major integrators of Let’s Encrypt managed to replace more than 1.7 million of the affected certificates by the original deadline; however, more than 1 million were left that would have been revoked, causing the company to rethink its plan, a Let’s Encrypt spokeswoman told Threatpost late Wednesday.
“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline,” Josh Aas, executive director for Let’s Encrypt said in a blog post updating users of the situation Wednesday.
The company’s plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as “445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let’s Encrypt,” Aas wrote in the post.
“We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users,” he wrote.
Disclaimer: SoylentNews uses Let's Encrypt certificates.
Previously:
HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
(Score: 0, Offtopic) by fustakrakich on Thursday March 05 2020, @07:45PM (4 children)
You're making an unsupportable and, frankly, inane argument
Yeah, I guess you're right [informationisbeautiful.net]
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Thursday March 05 2020, @08:05PM
That sites are insecure isn't a question addressed by TFS or TFA.
What's more, if you connect a device directly to the Internet, you need to assume that, as some point, it will be hacked.
However, your link and the information within it has nothing to do with the value of HTTPS or Let's Encrypt.
As such, you're talking out of your ass (again) and it smells that way too.
I guess our spammy cohort was right:
(Score: 3, Interesting) by NotSanguine on Thursday March 05 2020, @08:23PM (2 children)
Please, do explain how encrypting data across the internet is worse than *not* encrypting data across the internet. This ought to be mildly amusing.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2, Informative) by fustakrakich on Thursday March 05 2020, @08:42PM (1 child)
The real simple fatal flaw is trust...
La politica e i criminali sono la stessa cosa..
(Score: 3, Informative) by insanumingenium on Thursday March 05 2020, @09:59PM
The day you, or anyone else writes up a distributed trust model for the web that doesn't have obvious issues, and which my grandmother could realistically use, I will be on that bandwagon. Seriously, I would beat the hell out of that drum.
Until then I will use the best tools I have available, which is HTTPS/TLS. Suggesting it is useless or simply scrapping it entirely is BONKERS. I get it, centralized trust isn't a perfect model, but it isn't one chosen out of simple ignorance or malice. Yes, the implementation has room to improve, as it has been improving, and will continue to improve. Your thoughts on fixing what is broken would be appreciated, come back when you have some of those.