Let’s Encrypt Vulnerability

Jim Salter (via Bruce Schneier):

On Leap Day, Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it. As a result, Let’s Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can’t be certain are legitimate[…]

See also: Let’s Encrypt.

Previously:

• Safari to Reject HTTPS Certificates Longer Than a Year

Bug Let’s Encrypt Security SSL/TLS Web

Comments RSS · Twitter

Leave a Comment