Let’s Encrypt revoked certificates
Let’s Encrypt has announced that it is to revoke aroound 3 million TLS/SSL certificates because of a serious flaw found in the CAA (Certificate Authority Authorization). The certificates will be revokend on the 4th March 2020 from 00:00 UTC.
Let’s Encrypt has around 116 million certificates issued at the moment which means that around 2.6% of them are to be revoked. Sites that have not reissued their certificates will find that users will be unlikely to visit them as they will be warned when trying to visit that the site is likely to be fake or compromised as the certificate has been revoked.
A revoked certificate is far worse from a security point of view for users as it shows that positive action has been taken to make users aware that the certificate has been tagged as “Not to be trusted“.
How can you fix it?
If you own a website that uses Let’s Encrypt, an automated free certificate system, then you should get your certificate changed ASAP. It is free and easy to do. There is a list of the affected certificate serial numbers which can be downloaded here and there is a tool that you can use to check your site here. Let’s Encrypt has sent an email notification to those that have registered an email address whith them but many are thought to be out of date and to be that of their hosting provider. If you are unsure please use the tools to check your site yourself.
Our clients who use Let’s Encrypt
CritchCorp Computers Ltd has already checked all of our clients sites that use Let’s Encrypt certificates; which come FREE with any of our Feature Rich Hosting accounts. Also anyone using a paid certificate from CritchCorp Computers Ltd is not affected by this latest issue.
If you are affected then you should contact your hosting company or webmaster urgently to get the issue resolved. If you have no-one to contact then we maybe able to help, please submit a support ticket from our store ticket system.
Is Let’s Encrypt still good?
We have been asked whether or not Let’s Encrypt certificates are safe given the latest bug. We are confident that they are a great starter certificate and are much better than having no certificate. Let’s Encrypt have been upfront and transparent about the issue and that is exactly what they should do, so we are confident that they ACME system is a good way to ensure that all sites have some form of security. If your site need better security or more gurentees about who you are and better protection then you should upgrade to a paid certificate whch come with different levels of security and guarentees.