Let’s Encrypt, the non-profit certificate authority, recently found a bug in their Boulder software that is causing over three million TLS certificates to be revoked. The bug was causing certificates to not be validated correctly by the Certificate Authority Authorization (CAA). This is believed to have happened due to a domain that was on a multi-domain certificate being checked multiple times instead of all the domains on the certificate being checked once. The total amount of certificates being revoked is about 2.6 percent of 116 million active certificates. Let’s Encrypt has sent emails to those who need to renew their certificates.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased