Recently, a bug has been found in Let’s Encrypt in their CAA code. This means that they now have to go over approved sites and potentially strip them of their TLS HTTPS certificate. Let’s Encrypt have become Let’s Revoke. We are hoping this is only a temporary situation in their security business.
What was happening is that people would submit a certain amount of domains in to be checked. Let’s say 5 domain names. The code would pick one domain and check it 5 times. If we say that this one domain was certified, all 5 of the domains sent though would get certified.
Let’s Encrypt said that they had confirmed the bug at 03:08 UTC and stopped issueing TSL Certs at 03:10 UTC. They developed a fix for the bug about two hours later and then re-enabled issuance. Any affected certificate owners have been notified by email according to Let’s Encrypt. The owners of the certificates have until 00:00 UTC on March 4th to renew and replace their HTTPS certificates.
Due to the bug, named Boulder, Let’s Encrypt will be revoking 3,048,289 currently-valid certificates. As large as that number may seem, it is only 2.6% of their total 116 million (approx.) active certificates.
If a website has a SSL certificate, this means that any data that you’ve exchanged with this site is securely encrypted. It also makes sure that the site you’re visiting is the legitimate one and not a malicious scam site. As well as this, have you ever noticed that you trust a site with a SSL cert more than a site without one?