Revoking certain certificates on March 4 - Expected Timeframe

Based on the post as of 5hrs ago Revoking certain certificates on March 4

I would like to question if you have truly considered the impact revoking 3million certificates in less than 24hrs will have on your userbase. - Many of whom have other concerns and part-time contractors managing their certificates or have little hands-on knowledge of your (arguably unintuitive) CLI / API and tools?

While I fully appreciate the seriousness and somewhat ‘pointlessness’ of using certificates in production that have a fundamental flaw in security, the sad precedent is that as an industry certificates/TLS often had and still have vulnerabilities (at the very least in their implementation/use or validation) that go unpatched for years with limited action ( TLS version 1.0, the uncountable list of ‘bad’ certificate companies, the previous long expiry of even well-formed, well issued TLS certificates)

I honestly question therefore if this is a proportionate response to what appears to be a unexplioted issue with certificate issuance - namely to revoke trust on a contract that Let’s encrypt, has promised - that the certificate issued will be valid for 90 days.

Given the original post some things I understood to be true:

  • The fix has been applied to the api and is no longer exploitable
  • This only existed for a limited time in production (from July 2019)
  • There was no mention of malicious actors using this vulnerability/loophole to retrieve certificates for domains no longer under their control in the notes.
  • This vulnerability would only allow certificates to be issued for domains the attacker did previously have full access to in the last 30 days
  • The vulnerability would have required the attacher to still have access to at least one domain (at random?) on the original cert request
  • In 90% of the time from discovery (counting from Feb 29th when the original incident post was published to march 3rd) only ~5,000 people have read the posting regarding this issue - affecting 3,000,000 certificates.
  • I personally only received this email less than 24hrs before revocation (with it seems many others)
  • LetEncrypt states they only have contact information for ‘some’ of the certificates issued - exactly what this means is unclear but it seems safe to assume given all the above that a majority of users are still unaware of this issue.
  • There is no posting about this issue on teh main letencrypt website/blog homepage, social media and next to no media coverage of the issue in general.

Given all this; at least on a process level, there appears to be some disconnect between how Lets Encrypt expects it’s users to react and the reality of having 3million users trying to manually re-request certificates in 24hrs.

Let’s encrypt has done wonders for the certificate industry in the last 3 years - and companies everywhere are now using much shorter certificate validity almost entirely due to the great work of letsencrypt. While I’m sure you’re trying to be the best example of what we can expect from a good trust partner, I am worried that this change will do more damage, especially in big companies that miss your revocation notification emails and small independent companies that don’t have full-time DevOps engineers to move away from these far less secure days if we can’t even trust a certificate for the 90 days you sign it for.

4 Likes

It’s not Let’s Encrypt choice, it’s an obligation: Revoking certain certificates on March 4

They have 5 days to revoke, and they needed the time to list the affected certificates.

It could, have and most certainly will happen again to other CA. What is needed is a mechanism to automate the early renewals. Maybe that could help in the futur: https://github.com/certbot/certbot/issues/1028

4 Likes

Thanks tdelmas I understand this is a very difficult time, and I’m sure much smarter and more informed people than me took this decision but not posting any message to social media or even the main company’s website/blog is inexcusable IMO - With 5 days notice time, spending all the time creating a list of domains and no time on creating a communication strategy to inform people is not acceptable.

In addition, Mozilla at least makes it very clear that diverging from the baseline is a totally acceptable action to take if a good rational and clear communication is provided. Given the small number of actually still potentially affected sites is, as I understand it <400, and certs are only valid for 90days, this would appear to be the perfect candidate for such action, and with LetsEncrypts market-leading position I think few would have objected - but of course, this is only my option.

Either way, Lets Encrypt should be taking more leadership of this debacle, and making it more visible to site owners, and I wish LetsEncypt the best of luck in dealing with this going forward.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.