Critical Vulnerability Uncovered in JSON Encryption


Does this impact Let’s Encrypt? If so, what are the consequences?


go-jose fixed this back in November and boulder was updated to a version including the fix.

Not sure if this was exploitable in boulder at the time.


It does not impact Let’s Encrypt. @kaepora’s tweet is inaccurate; ACME does not rely on JWE at all. Let’s Encrypt’s ACME server implementation, Boulder, uses Square’s go-jose library but again, not JWE, just JWS.

We are not aware of any impact on Let’s Encrypt from this vulnerability.


The tweet is indeed inaccurate, but AIUI the multi-signature exploit affects JWS as well, though I’m not sure if boulder was using it in a way that made it vulnerable.

Even assuming boulder was vulnerable, a successful attack would still require a MitM position between the client and the CA (… which is often enough to pass DV challenges anyway, depending on the challenge type) as well as a publicly-trusted TLS certificate for the CA server (… which means the attacker already compromised a CA anyway), so the would most likely be no practical way to exploit this.


@pfg As far as I understand the weakness, a MitM is not necessary, it only require the ability of the attacker to generate requests. And the effect is the compromise of the private key. Am I missing something? (that told, I don’t say Let’s Encrypt were vulnerable!)

@cpu thanks for the quick answer!


I think the vulnerability you’re describing affects JWE (which boulder doesn’t use), but not JWS. The one that affects JWS is the multi-signature exploit, but that one “merely” allows a signature check bypass.


The tweet in question has already been removed. :slight_smile:

Although the tweet was correct about the vulnerability (nobody will deny that), the fact it mentioned ACME/Let’s Encrypt so blatantly warranted the removal (by the original poster I assume :stuck_out_tongue:) IMO :thumbsup: