Based on the post as of 5hrs ago Revoking certain certificates on March 4
I would like to question if you have truly considered the impact revoking 3million certificates in less than 24hrs will have on your userbase. - Many of whom have other concerns and part-time contractors managing their certificates or have little hands-on knowledge of your (arguably unintuitive) CLI / API and tools?
While I fully appreciate the seriousness and somewhat ‘pointlessness’ of using certificates in production that have a fundamental flaw in security, the sad precedent is that as an industry certificates/TLS often had and still have vulnerabilities (at the very least in their implementation/use or validation) that go unpatched for years with limited action ( TLS version 1.0, the uncountable list of ‘bad’ certificate companies, the previous long expiry of even well-formed, well issued TLS certificates)
I honestly question therefore if this is a proportionate response to what appears to be a unexplioted issue with certificate issuance - namely to revoke trust on a contract that Let’s encrypt, has promised - that the certificate issued will be valid for 90 days.
Given the original post some things I understood to be true:
- The fix has been applied to the api and is no longer exploitable
- This only existed for a limited time in production (from July 2019)
- There was no mention of malicious actors using this vulnerability/loophole to retrieve certificates for domains no longer under their control in the notes.
- This vulnerability would only allow certificates to be issued for domains the attacker did previously have full access to in the last 30 days
- The vulnerability would have required the attacher to still have access to at least one domain (at random?) on the original cert request
- In 90% of the time from discovery (counting from Feb 29th when the original incident post was published to march 3rd) only ~5,000 people have read the posting regarding this issue - affecting 3,000,000 certificates.
- I personally only received this email less than 24hrs before revocation (with it seems many others)
- LetEncrypt states they only have contact information for ‘some’ of the certificates issued - exactly what this means is unclear but it seems safe to assume given all the above that a majority of users are still unaware of this issue.
- There is no posting about this issue on teh main letencrypt website/blog homepage, social media and next to no media coverage of the issue in general.
Given all this; at least on a process level, there appears to be some disconnect between how Lets Encrypt expects it’s users to react and the reality of having 3million users trying to manually re-request certificates in 24hrs.
Let’s encrypt has done wonders for the certificate industry in the last 3 years - and companies everywhere are now using much shorter certificate validity almost entirely due to the great work of letsencrypt. While I’m sure you’re trying to be the best example of what we can expect from a good trust partner, I am worried that this change will do more damage, especially in big companies that miss your revocation notification emails and small independent companies that don’t have full-time DevOps engineers to move away from these far less secure days if we can’t even trust a certificate for the 90 days you sign it for.