Web application security specialists reported the finding of a security flaw in the CAA authorization code of the Let’s Encrypt Certification Authority (CA); the vulnerability creates a time window in which it is possible to issue a certificate even if the CAA record in the DNS of the domain should prohibit it. The flaw forced Let’s Encrypt to revoke any certificate that may have been issued in a non-legitimate manner.
In a statement, the CA mentioned:
“Unfortunately we must revoke all affected certificates, which could
include one or more of each user’s certificates. To avoid disruption, you must
renew and replace the affected certificates before the end of March 4; we offer
our sincere apologies for the incident.”
According to web application security experts,
sites where affected certificates are not renewed and replaced in time will
display warning messages to visitors until the certificates are renewed.
Let’s Encrypt uses Boulder CA software, a web
server that uses Let’s Encrypt and works for multiple separate domain names
receives a unique LE certificate, which protects all domain names on the
server, rather than using a certificate for each domain. The reported bug is
that instead of verifying each domain name separately for valid CAA records,
Boulder verifies one of the domains once per each domain on the server.
As a result, it is generated a 30-day period in
which Let’s Encrypt can issue certificates to a particular web server
regardless of the presence of CAA records that, under normal conditions, would
prohibit its issuance, as mentioned by web application security specialists.
It is a fact that multiple certificates were issued
when they should not have been, so Let’s Encrypt opted for the revocation of
certificates that were not properly verified; in this situation, users should force
the manual renewal of their certificates to eliminate the security risk. The
steps for manually renewing certificates can be found on the official Let’s
According to the International Institute of Cyber
Security (IICS), site administrators should hurry to perform this
manual procedure. Otherwise, the affected websites could reduce their visitor’s
average significantly due to the certification authority’s security warnings.