Let’s Encrypt has announced that it is to revoke aroound 3 million TLS/SSL certificates because of a serious flaw found in the CAA (Certificate Authority Authorization). The certificates will be revokend on the 4th March 2020 from 00:00 UTC.

Let’s Encrypt has around 116 million certificates issued at the moment which means that around 2.6% of them are to be revoked. Sites that have not reissued their certificates will find that users will be unlikely to visit them as they will be warned when trying to visit that the site is likely to be fake or compromised as the certificate has been revoked.

A revoked certificate is far worse from a security point of view for users as it shows that positive action has been taken to make users aware that the certificate has been tagged as “Not to be trusted“.

How can you fix it?

If you own a website that uses Let’s Encrypt, an automated free certificate system, then you should get your certificate changed ASAP. It is free and easy to do. There is a list of the affected certificate serial numbers which can be downloaded here and there is a tool that you can use to check your site here. Let’s Encrypt has sent an email notification to those that have registered an email address whith them but many are thought to be out of date and to be that of their hosting provider. If you are unsure please use the tools to check your site yourself.

Our clients who use Let’s Encrypt

CritchCorp Computers Ltd has already checked all of our clients sites that use Let’s Encrypt certificates; which come FREE with any of our Feature Rich Hosting accounts. Also anyone using a paid certificate from CritchCorp Computers Ltd is not affected by this latest issue.

If you are affected then you should contact your hosting company or webmaster urgently to get the issue resolved. If you have no-one to contact then we maybe able to help, please submit a support ticket from our store ticket system.

Is Let’s Encrypt still good?

We have been asked whether or not Let’s Encrypt certificates are safe given the latest bug. We are confident that they are a great starter certificate and are much better than having no certificate. Let’s Encrypt have been upfront and transparent about the issue and that is exactly what they should do, so we are confident that they ACME system is a good way to ensure that all sites have some form of security. If your site need better security or more gurentees about who you are and better protection then you should upgrade to a paid certificate whch come with different levels of security and guarentees.

Stay Safe

Support.

Don’t forget to check out these other Products too

You can also read more about us and the products and services we offer.

Apple has decided that they will no longer support TLS/SSL certificates that have a valid period of more than 1 year (398 days to be exact) as of 1st September 2020. This means that if, after that date, you order a certificate for your website that has a longer valid period then it will not be trusted on any Apple system, including iPhones, iPads, Apple computers, Safari, etc.
The policy that was unveiled at a Certificate Authority Browser Forum (CA/Browser) meeting on Wednesday (19/02/2020). Accordingly certificates issued after 1st September 2020 will not be trusted if they are longer than 1 year (398 days) but those that were issued before that date will still be honoured.

Why have they done this

The move by Apple to not trust certificates longer than the 398 days is a move to make internet users safer on their platforms. This means that website admins will need to change their certificates on a yearly basis. This has it benefits and drawbacks as it means that technical expertise will be needed more frequently and that there is more chance for expiry dates to be forgotten but it does mean that old forgotten certificates will expire quicker and certificates will be using the latest up-to-date cryptographic standards.
There has been a call for more moving to automated systems rather than manual certificates. Whilst we use automated systems or ACME (Automated Certificate Management Environment), specifically Let’s Encrypt and those systems are great for a certain type of site, it is still necessary to have the higher grade certificates for those who need them. In fact larger websites still use professional certificates with stronger encryption and authentication mechanisms in place. ACME certificates are great as a base level certificate in these days when a website will not be trusted at all if it doesn’t have a certificate, in fact if it doesn’t have a certificate most browsers will actively block access to it.

Digicert’s Dean Coclin issued a memo, here is an excerpt:

“At one time, certificates were offered with a maximum validity of three years. A few years ago, they were reduced to two years. Fast forward to this week’s Apple announcement, which ultimately does what ballot SC22 failed to do: reduce certificate lifetimes to one year.
Why did Apple unilaterally decide to enforce a shorter certificate lifetime? Their spokesperson said it was to “protect users.” We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats. Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”

… “DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and has the tools necessary to help our customers automate the certificate lifecycle process. We support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities. Additionally, our CertCentral platform includes the ability to schedule and automate replacement of EV, OV and DV certificates. Using CertCentral admins may take advantage of continuous discovery, renewal notices, thorough API integration and documentation, as well as support for orchestration layers. CertCentral also allows for multi-year purchases to smooth planning and 24/7 global support enabling the best experience in the industry.
As certificate validity periods continue to decrease, automation will be a must for organizations’ ability to manage shorter lifetimes. DigiCert is prepared with the industry’s most advanced and reliable tools to help our customers take the necessary steps toward greater use of automation.”

• .space
• .black
• .blue
• .pet
• .pink
• .pro
• .promo
• .red

If there is a TLD that you want and it is not in our shop, let us know and we will see if we can add it, and maybe give you a discount on a new domain name on that TLD as a “thank you” recommending it.

Also there have been some price increases this month. You can see the current prices here.

[ink-ad-creator ad=”981″][/ink-ad-creator]