Let’s Encrypt has had to disable a vulnerability that allowed hackers to get certificates – the digital identities that every website relies on for authenticity – for domains they don’t own.
Certificates can be a powerful weapon in the wrong hands – and while Let’s Encrypt has provided a short-term fix, it’s only expected to be a stopgap measure until proper mitigations are in place. More detail is available here and Hari Nair, Director of Cryptographic Research at Venafi commented below.
Hari Nair, Director of Cryptographic Research at Venafi:
“Let’s be clear — this is really about weak security practices by some hosting providers. Let’s Encrypt has mitigated the damage to a certain extent, but ultimately, how effective those steps will be depends on how well hosting providers implement certificate security on their end.
It’s possible that there could be a spate of revocations in response to this event. The reality is that detection of mis-issued certificates is extremely hard and checking for revocation status is not something that the industry has traditionally done well, so it’s not clear how much impact revocations will have.
Google’s move to require Certificate Transparency for all certificates, including DV certs, will help surface these kind of issues sooner, but that move is currently slated for April 2018. In the meantime, the only thing organisations can do to protect themselves is to stay vigilant in their efforts to monitor for mis-issued or maliciously issued certificates. The problem is that the vast majority of organization don’t have the technology they need to do this.”