Some well-known websites could stop functioning properly on Wednesday, 4 March, after a bug was found in the digital certificates used to secure them, the BBC reported last night.The organisation that issues the certificates revealed that three million need to be immediately revoked.
Visitors to affected sites will be greeted with an alert warning them the site is insecure. One expert said the issue could result in a “loss of trust”. In a notification email to its clients, the organisation said: “We recently discovered a bug in the Let’s Encrypt certificate authority code.
“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue.”
https://twitter.com/sf_tristanb/status/1234898588548947974
Digital certificates, such as those issued by Let’s Encrypt, provide machines – be that websites, servers, applications, IoT devices, everything – with a unique identity to enable encrypted and secure communication with other machines. Most recognisably, perhaps, is that they enable the little padlock in the URL bar which tells us that a site has been secured; or in this case, a lack of a certificate can trigger a warning to users that a site is not secured. These machine identities power digital transformation and the modern economy providing trust, authentication, and privacy between the ever-increasing machine, cloud, and software worlds. One measure of this transformation: there are over 110 million active machine identities issued by the free service, Let’s Encrypt, a public Certificate Authority (CA). In the wrong hands – or if mishandled – machine identities can enable attacks or stop business from working.
Unfortunately, because of a bug, Let’s Encrypt is revoking – making invalid – over 3 million machine identities overnight. Millions of machines may drop off the Internet and be untrusted causing damaging and costly outages. Angry customers, angry executives. When an event such as this happens, organisations need to be able to quickly swap out their old machine identities for new, secure ones. But most organisations do not understand or have visibility of their machine identities. They don’t know how many identities they have – a figure that could be in the 10s of thousands – they do not know who issued them, or what they are being used for. Added to this, the only way they can update them is to go through and manually find and replace every single one.
Ultimately, as digital transformation becomes increasingly complex, we are likely to see issues such as these more frequently. This is just one more reason why security teams need to provide their business with visibility and automation through Machine Identity Protection to find and replace all compromised machine identities in seconds – regardless of CA used. In today’s volatile environment, businesses must use Machine Identity Protection or risk being untrusted and essentially kicked off the Internet on any given day.
Everyone makes mistakes. It’s commendable for Let\’s Encrypt to be proactive and revoke so many certs, but it certainly could cause significant outages if these revoked certs are not replaced quickly. Many treat the automated enrollment and renewals as a ‘set and forget’ technology, but this shows that even shorter cert lifespans and automatic enrollment are not substitutes for full-featured cert management systems that can address issues at any point in a certificate\’s lifecycle.
Digital certificates help protect the transfer of information between the website and user. This secure connection helps deliver trust, which is at the heart of the World Wide Web.
Affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”. This will undoubtedly cause many users to worry that their connection is vulnerable.
You can still use the sites that show this warning, but it is advisable not to enter any sensitive or personal data into the website anywhere.
There is only an immediate established risk for Let\’s Encrypt\’s customers having their identity or the identity of their systems compromised if an attacker is producing bogus certificates or masquerading as a certificate provider. My primary concern is why isn\’t my anchor of trust, the CA provider, in this case, Let\’s Encrypt, being transparent about what has happened? If they are being transparent, and we haven\’t seen their recommendations, I strongly urge all the customers to follow their protocol. Why aren\’t we seeing transparent information about the nature of the incident? Given the urgency, it can be either a security breach or a security vulnerability. At this stage, I would want to see more specifics so the companies can properly manage risk. Overall, no vendor in the industry is beyond having security vulnerability or incidents, but we are all measured on how we communicate and help our customers and partners manage risk.
Certificate revocation, while rare, does occur and web site owners should be prepared for this situation. Assuming that any certificate will remain valid until its complete expiration date is unrealistic. While it is inconvenient to perform an emergency update, processes should be in place within an organisation to handle such scenarios.