DEV Community: SSL Support

Free SSL Provider- Let's Encrypt Revoke millions of Certificates.

SSL Support — Thu, 05 Mar 2020 06:16:25 +0000

Let’s Encrypt – the world-leading Free SSL Certificate authority (CA), has announced that it will revoke more than 3 million SSL/TLS Certificate by 4th March 2020. The cause of the revocation is a bug which was discovered by Let’s Encrypt.

Lets Encrypt confirmed that a bug in Boulder ignored CAA Checks in a forum post on 29th February 2020. However, this news barely gave time to their user to react to it.

Also Read: The Risk of Free SSL Certificate

Let’s Encrypt is going for a short revocation timeline in order to meet the stipulation by the CA/B Forum’s baseline requirement. That means many people who are using let’s encrypt certificates aren’t aware and can be affected by this.

So, why is Let’s Encrypt revoking these certificates and what does the website owner have to do with an affected certificate from Let’s Encrypt.

Why Let’s Encrypt certificate been revoked?

Let’s Encrypt announced there was a bug in their code which allowed the issuance of SSL Certificate without going through proper domain record checks. This resulted, let’s Encrypt to revoke more than 3 million valid SSL certificates out of their total 116 million certificates. To be more specific, the bug affected Boulder – the server software that Let’s Encrypt uses to verify the users and their domains before issuing an SSL certificate.

The lead developer from the Let’s Encrypt Jacob Hoffman-Andrews, post a statement on the Mozilla’s Bugzilla Web Forum:

"On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking."

"The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit /issuance by Let’s Encrypt."

They discovered the bug at 03:08 UTC on 29 Feb and halted issuance at 03:10. Further, they deployed a fix at 05:22 UTC and then re-enabled issuance. On the preliminary investigation, it was found that the bug was introduced on 25th July 2019.

In simple words: Lets Encrypt must revoke the SSL Certificate because it didn’t check the CAA records within 8 hours prior to the certificate being issued due to the bug in its software.

What options do the users of Let’s Encrypt certificate have?

Step 1: Check the Certificate

The website owner or webmasters or system administrators having Lets Encrypt SSL Certificate can use the tool to verify if their certificate is been impacted or not by simply entering the domain name. They can also visit this page which hosts the list of affected serial numbers.

Step 2: Renew the Certificate

Once you have determined that you are using the impacted Let’s Encrypt certificate, the next step for you is to renew the certificate. Users can renew the certificate either from a Trusted Certificate Authority or go for a Free untrusted SSL Certificate Authority.

It's always wise to have a trusted Certificate on your network or server. Also, all reputed companies use a trusted SSL Certificate for their security. Renew SSL Certificate at affordable cost and secure your website without any worries.

Sometimes it feels a burden to renew the certificate and install it again. Well, you can make your life easy, by simply visiting the best SSL Installation Service Provider named SSL.Support. They install your certificate on any type of server with ease. So now relax and let SSL.Support install your certificate.

Read the actual article on Let’s Encrypt to Revoke 3 Million SSL Certificates

Fix NET: ERR_CERTIFICATE_TRANSPARENCY_REQUIRED Error

SSL Support — Fri, 14 Feb 2020 12:09:28 +0000

What is Certificate Transparency Required Error?

It is one of the SSL errors which occurs when a user is trying to visit a secure website that is having SSL certificate errors and which creates the problem of connection between a user device and the remote server.

The main reason for “Certificate Transparency Required Error” are as followed:

The Certificate Authority hasn’t entered the website’s SSL Certificate to the
Certificate Transparency log which may lead to fraud or negligence on the part of the Certificate Authority (CA’s).
The owner of the website itself has notified the Certificate Authority not to enter the domain or any sub-domains to transparency log in order to keep certificate information private.

Certificate Transparency (CT) Implementation

In March 2013, Google officially launched the first certificate transparency log. After a few months, Digi Cert became the first Certificate Authority (CA) to implement Certificate Transparency. Thereafter it was made compulsory to log the details of the issued SSL certificate in a CT log.

Certificate Transparency (CT) is an internet security standard that mandates the practice of maintaining public logs of all the digital certificates that are issued by trusted certificate authorities (CAs).

Steps for how to Fix ERR_CERTIFICATE_TRANSPARENCY_REQUIRED Error

Solution for Website Owner

This is the only way through which this error can be resolved. The website owner needs to contact the Certificate Authority (CA) and inform about this issue. Tell them to add the website’s SSL Certificate to the CT log.

Also check with the CA’s, regarding if there are any technical errors on CA’s behalf. If so, then reissue the SSL Certificate and reinstall it on your website. I know sometimes install an SSL certificate is altogether a new challenge. There is an option to go for the Free SSL Installation on C-Panel and install the certificate without any hassle.

If you still don’t get any proper response from your Certificate Authority (CA), then it is recommended to change your exiting CA with the reputed one like Digi Cert, Rapid SSL, Sectigo (Formerly Comodo), Geo Trust, etc.

Learn more on how to Fix Certificate Transparency Error on Website Browser.

How does delegated credential works?

SSL Support — Mon, 25 Nov 2019 12:22:04 +0000

IETF community has proposed Delegated Credentials for TLS to mitigate the above-mentioned issue. As it is a new cryptographic protocol that balances the trade-off between lifetime and reliability.

Delegated Credentials for TLS allows companies to take partial control over the process of signing new certificates for themselves. This certificate uses a private key with a shorter time period than the actual certificate.

The private key with a shorter period – Delegated credential used generated by the server and not by the Certificate Authority.

The delegated credential consist of the following things:

Public key
The new private key (the expiry date of the delegated credentials), and
The signature of delegated credentials signed by the CA issued leaf

The delegated credentials secure the connection between a web browser and the server, as it has its own public key.

The website owners can now actively participate in generating a Certificate that has a distinct public and private keys.

Delegated Credential uses a different private key with a shorter period on each server. As it uses a different private key on each server, there is less window of opportunity for a hacker to perform a cyber attack.