Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates

posted by martyb on Thursday March 05 2020, @05:54PM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Let’s Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.

The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software—discovered and patched this past Sunday–impacted the way its software checked domain ownership before issuing certificates. However, users grumbled that this was not enough time to correct the problem.

Users and major integrators of Let’s Encrypt managed to replace more than 1.7 million of the affected certificates by the original deadline; however, more than 1 million were left that would have been revoked, causing the company to rethink its plan, a Let’s Encrypt spokeswoman told Threatpost late Wednesday.

“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline,” Josh Aas, executive director for Let’s Encrypt said in a blog post updating users of the situation Wednesday.

The company’s plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as “445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let’s Encrypt,” Aas wrote in the post.

“We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users,” he wrote.

Disclaimer: SoylentNews uses Let's Encrypt certificates.

Previously:
HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates | Log In/Create an Account | Top | 36 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by NotSanguine on Friday March 06 2020, @06:27AM

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Friday March 06 2020, @06:27AM (#967313) Homepage Journal

    I'll ignore your obnoxious and insulting tone for the moment, as I smack your ridiculous "argument" down.

    GP stated that "security is binary."

    His point was that either something is secure, or it isn't and there are no gradations in security. To wit, if something isn't *completely* secure, it is completely *insecure* and therefore useless.

    That, much like your "argument," is ridiculous on its face.

    The example of my door is actually an *excellent* one.

    The deadbolt lock certainly doesn't completely prevent someone from breaking into my apartment. But it most certainly stops someone from walking up to my door, turning the knob and walking right in or jimmying the lock.

    The police have exactly *zero* to do with it. Not that I would count on them anyway. They're generally worse than useless.

    One would need to bring a lock pick, a drill, a battering ram or other tools to either remove the lock or the door to gain entrance. And once they take the time to break into the lobby of my apartment building (also locked), they'd need to take the time to forcibly enter my apartment, likely making lots of noise at all points and alerting the 50+ people in the building to their presence.

    That significantly raises the difficulty factor in entering my home. Is it perfectly secure? No. However, it's an *effective* mechanism for keeping unwanted folks out, and with that deadbolt, someone seeking to obtain *someone's* belongings or do harm to someone would need to expend significant effort to do so. Making that deadbolt (without any help from the po-po) quite useful.

    As such, unless I am being *specifically* targeted, someone going to such lengths is extremely unlikely. And if I am being specifically targeted, there are much easier ways to gain access to my home.

    As such, in the case of my door, security is most certainly *not* binary.

    It's actually really amusing that you call *me* dumb, since not only didn't you understand the point of the example, but you also came up with the moronic bullshit you did. Jungle indeed. Hah!

    I'm actually laughing out loud (at you) as I write this.

    Since you declined to "remain silent and be thought a fool," and rather, "spoke and removed all doubt," to my mild amusement (I am pretty easily amused, so YMMV), thus making my evening more pleasant *at your expense*, I thank you AC.

    Cheers!

    As I proofread my post, I'm moved to laughing *at* you even more, so I decided to include this addendum. Damn you're thick!

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2