Tuesday, March 10, 2020

Let’s Encrypt Vulnerability

Jim Salter (via Bruce Schneier):

On Leap Day, Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it. As a result, Let’s Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can’t be certain are legitimate[…]

See also: Let’s Encrypt.


Comments RSS · Twitter

Leave a Comment