Let’s Encrypt Root Certificate Expiration – Expert Source

By   ISBuzz Team
Writer , Information Security Buzz | Oct 04, 2021 03:21 am PST


Numerous websites and services have already reported issues across computers, web browsers and other devices due to the recent expiration of Let’s Encrypt’s root certificate.  Older devices are especially vulnerable since many can no longer verify or “trust” certain certificates issued by this certificate authority.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Chris Hickman
Chris Hickman , Chief Security Officer
October 4, 2021 11:22 am

<p>A root CA (certificate authority) does not specifically create a security problem, but rather a disruption to availability to any certificate that chains to that particular root.  This in turn can lead to a number of situations in which users may be forced to click through exception messages, leading to bad user habits or in extreme cases, causing an application to respond as no longer expected, which we’re seeing now with the numerous websites and services that didn’t heed to Let’s Encrypt’s notifications about the upcoming expiration.</p>
<p>When transitioning from an expired root certificate to a new one, in most cases, the greatest issue is a lack of automation to distribute the new root CA certificate to those devices that need to trust it. In many organizations, the root CA certificate stores (otherwise known as roots of trust) are not managed universally. This can lead to situations like only updating parts of the network (say Windows via GPO) but not the entity of all devices that need to trust the new root. In the case of IoT devices the problem is compounded as most IoT devices still rely on firmware and software updates to manage roots of trust. Therefore, these devices are wholly dependent on users taking action. In both cases, a failure to update the roots of trust properly can lead to outages or disruptions in normal use.</p>
<p>Management of the roots of trust for all devices is a part of having a well-defined crypto agility strategy. Any reasonable crypto agility strategy will consider how manage and handle regular lifecycle events including the revocation or expiration of a root CA. The crypto agility strategy will allow executives to quickly identify the scope of the impact on their organization and make an informed decision as to the priorities to their organization as it relates to risk and immediacy of remediation.</p>

Last edited 2 years ago by Chris Hickman

Recent Posts

Would love your thoughts, please comment.x