Experts Reaction On Millions Of Websites Face ‘Insecure’ Warnings

Some well-known websites could stop functioning properly on Wednesday, 4 March, after a bug was found in the digital certificates used to secure them, the BBC reported last night.The organisation that issues the certificates revealed that three million need to be immediately revoked.

Visitors to affected sites will be greeted with an alert warning them the site is insecure. One expert said the issue could result in a “loss of trust”. In a notification email to its clients, the organisation said: “We recently discovered a bug in the Let’s Encrypt certificate authority code.

“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue.”

https://twitter.com/sf_tristanb/status/1234898588548947974

Experts Comments

March 04, 2020
Jake Moore
Cybersecurity Specialist
ESET
Digital certificates help protect the transfer of information between the website and user. This secure connection helps deliver trust, which is at the heart of the World Wide Web. Affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”. This will undoubtedly cause many users to worry that their connection is vulnerable. You can still use the sites that show this warning, but it is.....Read More
Digital certificates help protect the transfer of information between the website and user. This secure connection helps deliver trust, which is at the heart of the World Wide Web. Affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”. This will undoubtedly cause many users to worry that their connection is vulnerable. You can still use the sites that show this warning, but it is advisable not to enter any sensitive or personal data into the website anywhere.  Read Less
March 04, 2020
Israel Barak
Chief Information Security Officer
Cybereason
There is only an immediate established risk for Let's Encrypt's customers having their identity or the identity of their systems compromised if an attacker is producing bogus certificates or masquerading as a certificate provider. My primary concern is why isn't my anchor of trust, the CA provider, in this case, Let's Encrypt, being transparent about what has happened? If they are being transparent, and we haven't seen their recommendations, I strongly urge all the customers to follow their.....Read More
There is only an immediate established risk for Let's Encrypt's customers having their identity or the identity of their systems compromised if an attacker is producing bogus certificates or masquerading as a certificate provider. My primary concern is why isn't my anchor of trust, the CA provider, in this case, Let's Encrypt, being transparent about what has happened? If they are being transparent, and we haven't seen their recommendations, I strongly urge all the customers to follow their protocol. Why aren't we seeing transparent information about the nature of the incident? Given the urgency, it can be either a security breach or a security vulnerability. At this stage, I would want to see more specifics so the companies can properly manage risk. Overall, no vendor in the industry is beyond having security vulnerability or incidents, but we are all measured on how we communicate and help our customers and partners manage risk.  Read Less
March 04, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Certificate revocation, while rare, does occur and web site owners should be prepared for this situation. Assuming that any certificate will remain valid until its complete expiration date is unrealistic. While it is inconvenient to perform an emergency update, processes should be in place within an organisation to handle such scenarios.
March 04, 2020
Chad Anderson
Research Engineer
DomainTools
Let’s Encrypt is a free certificate service that came along to offer encryption for domains that administrators could prove ownership of via certain types of records. They then issue a certificate for a short period of time that has to be renewed often and with proof of ownership. While this is a startling bug due to the short-lived time frame of Let’s Encrypt certificates, all good system administrators will have set up auto-renewal processes using the procedures and tools Let’s Encrypt .....Read More
Let’s Encrypt is a free certificate service that came along to offer encryption for domains that administrators could prove ownership of via certain types of records. They then issue a certificate for a short period of time that has to be renewed often and with proof of ownership. While this is a startling bug due to the short-lived time frame of Let’s Encrypt certificates, all good system administrators will have set up auto-renewal processes using the procedures and tools Let’s Encrypt provides and encourages. If they haven’t, they’re using the service entirely the wrong way. Certificates through Let’s Encrypt are not meant for manual renewal. If they’ve followed the suggested setup, renewal should be as easy as running a single command and should already be in a programmatic job on their servers that would resolve the revoked certificate issues automatically.  Read Less
March 05, 2020
Kevin Bocek
VP Security Strategy & Threat Intelligence
Venafi
Digital certificates, such as those issued by Let’s Encrypt, provide machines – be that websites, servers, applications, IoT devices, everything – with a unique identity to enable encrypted and secure communication with other machines. Most recognisably, perhaps, is that they enable the little padlock in the URL bar which tells us that a site has been secured; or in this case, a lack of a certificate can trigger a warning to users that a site is not secured. These machine identities power .....Read More
Digital certificates, such as those issued by Let’s Encrypt, provide machines – be that websites, servers, applications, IoT devices, everything – with a unique identity to enable encrypted and secure communication with other machines. Most recognisably, perhaps, is that they enable the little padlock in the URL bar which tells us that a site has been secured; or in this case, a lack of a certificate can trigger a warning to users that a site is not secured. These machine identities power digital transformation and the modern economy providing trust, authentication, and privacy between the ever-increasing machine, cloud, and software worlds. One measure of this transformation: there are over 110 million active machine identities issued by the free service, Let’s Encrypt, a public Certificate Authority (CA). In the wrong hands – or if mishandled – machine identities can enable attacks or stop business from working. Unfortunately, because of a bug, Let’s Encrypt is revoking – making invalid – over 3 million machine identities overnight. Millions of machines may drop off the Internet and be untrusted causing damaging and costly outages. Angry customers, angry executives. When an event such as this happens, organisations need to be able to quickly swap out their old machine identities for new, secure ones. But most organisations do not understand or have visibility of their machine identities. They don’t know how many identities they have – a figure that could be in the 10s of thousands – they do not know who issued them, or what they are being used for. Added to this, the only way they can update them is to go through and manually find and replace every single one. Ultimately, as digital transformation becomes increasingly complex, we are likely to see issues such as these more frequently. This is just one more reason why security teams need to provide their business with visibility and automation through Machine Identity Protection to find and replace all compromised machine identities in seconds – regardless of CA used. In today’s volatile environment, businesses must use Machine Identity Protection or risk being untrusted and essentially kicked off the Internet on any given day.  Read Less
March 05, 2020
Ted Shorter
CTO
Keyfactor
Everyone makes mistakes. It’s commendable for Let's Encrypt to be proactive and revoke so many certs, but it certainly could cause significant outages if these revoked certs are not replaced quickly. Many treat the automated enrollment and renewals as a ‘set and forget’ technology, but this shows that even shorter cert lifespans and automatic enrollment are not substitutes for full-featured cert management systems that can address issues at any point in a certificate's lifecycle.
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.