Let's Encrypt Is Revoking Three Millions Certificates On March 4

栏目: IT技术 · 发布时间: 4年前

内容简介:Non-profit certificate authority Let's Encrypt, which provides X.509 certificates for TLS encryption at no charge, has announced it willTheThree million certificates are just a small portion of the nearly 120M certificates currently served by Let's Encrypt

Non-profit certificate authority Let's Encrypt, which provides X.509 certificates for TLS encryption at no charge, has announced it will revoke customer certificates today due to a bug in their Boulder CA software .

The bug caused slightly more that 3 million certificates to bypass proper multi-domain validation under specific circumstances, with one third of them being duplicated certificates. To make a long story short, when you create an X.509 certificate, you go through two steps: validating your domain name, then issuing the required certificate for that domain. Issuing a certificate also requires making sure the CA is authorized to issue certificate for the given domain, which is accomplished by checking a CAA record. Let's Encrypt considers domain validations valid for up to 30 days, but according to current rules for CAA record validation , it needs to be checked again if you attempt to issue a certificate 8 hours past the initial validation. At this point is where the bug strikes:

When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

Three million certificates are just a small portion of the nearly 120M certificates currently served by Let's Encrypt. Still, this will be a major nuisance to many customers, who will need to renew their certificates before revocation starts on 2020-03-04 3pm US EST if they want their systems to keep working as expected.

Let's Encrypt set up a test page for all customers to check the validity of their certificates , and whether they are affected by the bug, on a domain-by-domain basis. Or you could check out the full list of affected certificate serial numbers .

Let's Encrypt launched on April 12, 2016 and somehow transformed the Internet by making a costly and lengthy process, such as using HTTPS through an X.509 certificate, into a straightforward, free, widely available service. Recently, the organization announced it has issued one billion certificates overall since its foundation and it is estimated that Let's Encrypt doubled the Internet's percentage of secure websites .


以上所述就是小编给大家介绍的《Let's Encrypt Is Revoking Three Millions Certificates On March 4》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

如何构建敏捷项目管理团队

如何构建敏捷项目管理团队

丽萨·阿金斯 / 徐蓓蓓、白云峰、刘江华 / 电子工业出版社 / 2012-6 / 49.00元

《敏捷项目管理系列丛书•PMI-ACPSM考试指定教材•如何构建敏捷项目管理团队:ScrumMaster、敏捷教练与项目经理的实用指南》结合作者的亲身经历告诉读者如何建立一个高性能的敏捷项目管理团队,以及最终成为一名优秀的敏捷教练。作者将敏捷教练定义为导师、协助者、老师、问题解决者、冲突领航员、协作指挥者,正是这种不同角色之间的细微区别才使敏捷教练的工作富有深度。《敏捷项目管理系列丛书•PMI-A......一起来看看 《如何构建敏捷项目管理团队》 这本书的介绍吧!

URL 编码/解码
URL 编码/解码

URL 编码/解码

SHA 加密
SHA 加密

SHA 加密工具

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具