Experts Reaction On Millions Of Websites Face 'Insecure' Warnings

Some well-known websites could stop functioning properly on Wednesday, 4 March, after a bug was found in the digital certificates used to secure them, the BBC reported last night.The organisation that issues the certificates revealed that three million need to be immediately revoked.

Visitors to affected sites will be greeted with an alert warning them the site is insecure. One expert said the issue could result in a “loss of trust”. In a notification email to its clients, the organisation said: “We recently discovered a bug in the Let’s Encrypt certificate authority code.

“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue.”

🔑Let's Encrypt will revoke 3 million TLS/SSL certificates in a few hours because of a bug (4 march 00:00 CET) .

⚠️ You should check if you are affected now using https://t.co/nGoWc2bqao otherwise your website won't be accessible ⚠️

Source: https://t.co/TMBfSXU2C8 #letsencrypt

— Tristan Bessoussa (@sf_tristanb) March 3, 2020

Experts Comments

March 04, 2020

Jake Moore

Cybersecurity Specialist

ESET

Digital certificates help protect the transfer of information between the website and user. This secure connection helps deliver trust, which is at the heart of the World Wide Web. Affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”. This will undoubtedly cause many users to worry that their connection is vulnerable. You can still use the sites that show this warning, but it is.....Read More

March 04, 2020

Israel Barak

Chief Information Security Officer

Cybereason

There is only an immediate established risk for Let's Encrypt's customers having their identity or the identity of their systems compromised if an attacker is producing bogus certificates or masquerading as a certificate provider. My primary concern is why isn't my anchor of trust, the CA provider, in this case, Let's Encrypt, being transparent about what has happened? If they are being transparent, and we haven't seen their recommendations, I strongly urge all the customers to follow their protocol. Why aren't we seeing transparent information about the nature of the incident? Given the urgency, it can be either a security breach or a security vulnerability. At this stage, I would want to see more specifics so the companies can properly manage risk. Overall, no vendor in the industry is beyond having security vulnerability or incidents, but we are all measured on how we communicate and help our customers and partners manage risk. Read Less

March 04, 2020

Tim Mackey

Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)

Synopsys

Certificate revocation, while rare, does occur and web site owners should be prepared for this situation. Assuming that any certificate will remain valid until its complete expiration date is unrealistic. While it is inconvenient to perform an emergency update, processes should be in place within an organisation to handle such scenarios.

March 04, 2020

Chad Anderson

Research Engineer

DomainTools

Let’s Encrypt is a free certificate service that came along to offer encryption for domains that administrators could prove ownership of via certain types of records. They then issue a certificate for a short period of time that has to be renewed often and with proof of ownership. While this is a startling bug due to the short-lived time frame of Let’s Encrypt certificates, all good system administrators will have set up auto-renewal processes using the procedures and tools Let’s Encrypt provides and encourages. If they haven’t, they’re using the service entirely the wrong way. Certificates through Let’s Encrypt are not meant for manual renewal. If they’ve followed the suggested setup, renewal should be as easy as running a single command and should already be in a programmatic job on their servers that would resolve the revoked certificate issues automatically. Read Less

March 05, 2020

Kevin Bocek

VP Security Strategy & Threat Intelligence

Venafi

Digital certificates, such as those issued by Let’s Encrypt, provide machines – be that websites, servers, applications, IoT devices, everything – with a unique identity to enable encrypted and secure communication with other machines. Most recognisably, perhaps, is that they enable the little padlock in the URL bar which tells us that a site has been secured; or in this case, a lack of a certificate can trigger a warning to users that a site is not secured. These machine identities power digital transformation and the modern economy providing trust, authentication, and privacy between the ever-increasing machine, cloud, and software worlds. One measure of this transformation: there are over 110 million active machine identities issued by the free service, Let’s Encrypt, a public Certificate Authority (CA). In the wrong hands – or if mishandled – machine identities can enable attacks or stop business from working. Unfortunately, because of a bug, Let’s Encrypt is revoking – making invalid – over 3 million machine identities overnight. Millions of machines may drop off the Internet and be untrusted causing damaging and costly outages. Angry customers, angry executives. When an event such as this happens, organisations need to be able to quickly swap out their old machine identities for new, secure ones. But most organisations do not understand or have visibility of their machine identities. They don’t know how many identities they have – a figure that could be in the 10s of thousands – they do not know who issued them, or what they are being used for. Added to this, the only way they can update them is to go through and manually find and replace every single one. Ultimately, as digital transformation becomes increasingly complex, we are likely to see issues such as these more frequently. This is just one more reason why security teams need to provide their business with visibility and automation through Machine Identity Protection to find and replace all compromised machine identities in seconds – regardless of CA used. In today’s volatile environment, businesses must use Machine Identity Protection or risk being untrusted and essentially kicked off the Internet on any given day. Read Less

March 05, 2020

Ted Shorter

CTO

Keyfactor

Everyone makes mistakes. It’s commendable for Let's Encrypt to be proactive and revoke so many certs, but it certainly could cause significant outages if these revoked certs are not replaced quickly. Many treat the automated enrollment and renewals as a ‘set and forget’ technology, but this shows that even shorter cert lifespans and automatic enrollment are not substitutes for full-featured cert management systems that can address issues at any point in a certificate's lifecycle.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *

Your Registered Email *

Notification Email (If different from your registered email)

* By using this form you agree with the storage and handling of your data by this web site.

SUBMIT

Experts Reaction On Millions Of Websites Face ‘Insecure’ Warnings

Experts Comments

Submit Your Expert Comments

Working With Us

The Pages

Our Contributing Experts

Copyright © 2021 ISBuzz Pty Ltd is a company registered in Australia with company number 605 203 772 whose registered office is in Harrison, ACT 2914.

Experts Reaction On Millions Of Websites Face ‘Insecure’ Warnings

Experts Comments

Submit Your Expert Comments

You may also like

Working With Us

The Pages

Our Contributing Experts