Tuesday, March 10, 2020 [Tweets] [Favorites]

Let’s Encrypt Vulnerability

Jim Salter (via Bruce Schneier):

On Leap Day, Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it. As a result, Let’s Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can’t be certain are legitimate[…]

See also: Let’s Encrypt.

Previously:

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment