Let’s Encrypt has announced that it is to revoke aroound 3 million TLS/SSL certificates because of a serious flaw found in the CAA (Certificate Authority Authorization). The certificates will be revokend on the 4th March 2020 from 00:00 UTC.

Let’s Encrypt has around 116 million certificates issued at the moment which means that around 2.6% of them are to be revoked. Sites that have not reissued their certificates will find that users will be unlikely to visit them as they will be warned when trying to visit that the site is likely to be fake or compromised as the certificate has been revoked.

A revoked certificate is far worse from a security point of view for users as it shows that positive action has been taken to make users aware that the certificate has been tagged as “Not to be trusted“.

How can you fix it?

If you own a website that uses Let’s Encrypt, an automated free certificate system, then you should get your certificate changed ASAP. It is free and easy to do. There is a list of the affected certificate serial numbers which can be downloaded here and there is a tool that you can use to check your site here. Let’s Encrypt has sent an email notification to those that have registered an email address whith them but many are thought to be out of date and to be that of their hosting provider. If you are unsure please use the tools to check your site yourself.

Our clients who use Let’s Encrypt

CritchCorp Computers Ltd has already checked all of our clients sites that use Let’s Encrypt certificates; which come FREE with any of our Feature Rich Hosting accounts. Also anyone using a paid certificate from CritchCorp Computers Ltd is not affected by this latest issue.

If you are affected then you should contact your hosting company or webmaster urgently to get the issue resolved. If you have no-one to contact then we maybe able to help, please submit a support ticket from our store ticket system.

Is Let’s Encrypt still good?

We have been asked whether or not Let’s Encrypt certificates are safe given the latest bug. We are confident that they are a great starter certificate and are much better than having no certificate. Let’s Encrypt have been upfront and transparent about the issue and that is exactly what they should do, so we are confident that they ACME system is a good way to ensure that all sites have some form of security. If your site need better security or more gurentees about who you are and better protection then you should upgrade to a paid certificate whch come with different levels of security and guarentees.

Stay Safe

Support.

Don’t forget to check out these other Products too

You can also read more about us and the products and services we offer.

If you use Microsoft Remote Desktop Protocol (RDP) over the Internet then there is a serious bug that has just been discovered that allows an attacker to gain entry even with out a username and password.

The good news is that if you use a VPN connection first, then you are completely safe from this. Likewise if you use Network Layer Authentication only then you are not at risk either.

As always we recommend that you use RDP over a VPN tunnel, this way you are not vulnerable to any problems found in the protocol.

If you are concerned then please contact us and we will assess your situation with you.

If you want to deal with this yourself then you need to run updates on your servers as well as your desktops. The problem has now been fixed in the latest updates.

Keep Safe.

CritchCorp Support Team!