Let’s Encrypt is a free, automated, open certificate authority (CA) run for the public’s benefit as a service from the Internet Security Research Group (ISRG). It provides free digital certificates to enable HTTPS (SSL/TLS) for websites via user-friendly means.

Earlier this week, Let’s Encrypt announced that a bug in its validation code forced it to revoke more than 3 million certificates. The bug allowed subscribers (under specific circumstances and for a limited period) to issue certificates to a domain name even after the domain name holder explicitly prohibited the issuance of certificates through the use of DNS CAA.

This blog explains the implications of the incident. It provides details on the impact it can have on organizations utilizing Let’s Encrypt revoked certificates. It outlines steps for remediation and provides a link to Qualys CertView, a free tool that can be used to identify all affected certificates in users’ environments.

Continue reading …

Visibility and control of digital certificates remains a challenge for even the largest enterprises, as evidenced by a high profile incident this week affecting Microsoft’s LinkedIn. Users accessing LinkedIn on Tuesday got a warning from their browsers alerting them about an insecure connection. The culprit: An expired TLS certificate.

In a statement to the press, LinkedIn said it experienced a “brief delay” in updating a digital certificate, and stated that member data wasn’t affected. Yet, the incident spotlights a nagging issue that frequently trips even the most technically savvy companies in the world: Digital certificate management.

Qualys SSL Labs’ SSL Pulse, which monitors the quality of SSL/TLS support across 150,000 of the most popular websites in the world, rated about 33% of the sites monitored as having inadequate security in its May report. A few thousand of these sites had expired certificates.

Continue reading …