Let's Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let's take time out
Online security initiative halts hurried purge to accommodate reality
Let's Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet for netizens.
Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.
The programming blunder, in Let's Encrypt's automated certificate management software, affects users who create a certificate for a domain and then, some days later, create more related certificates – the code bungled the rechecking process that needed to take place.
Website owners were told to fix their certs as soon as possible so mass revocation could be completed by March 5, at 19:00 PT (03:00 UTC). Failure to take action meant visitors to unamended websites would see warnings of insecure connections in their browsers. The culling process actually began March 4, 12:00 PT (20:00 UTC), we note.
The short timeline is a consequence of the Baseline Requirements that Certificate Authorities agree to follow. Even so, Let's Encrypt only managed to make it halfway through the process before calling time.
In a forum post on Wednesday, Josh Aas, executive director of Let's Encrypt, announced a delay to avoid undue damage to the internet.
Let's Encrypt? Let's revoke 3 million HTTPS certificates on Wednesday, more like: Check code loop blunder strikesREAD MORE
"Unfortunately, we believe it’s likely that more than one million certificates will not be replaced before the compliance deadline for revocation is upon us at March 5 19:00 PT (03:00 UTC, 21:00 US EST)," wrote Aas. "Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline."
By the compliance deadline this evening, Aas said 1,706,505 certificates that have been replaced would have been revoked. And 445 certificates that forbid issuance by Let's Encrypt were treated as high-priority targets for revocation.
As for the remaining 1.3 million or so, some of these will be revoked when Let's Encrypt is certain that doing so will not cause undue disruption. Other bad certs left untreated should die of old age. Aas said that since Let's Encrypt certificates only have 90 day lifetimes (they designed for auto-renewal), unfixed certs will expire on their own if not dealt with.
The Register asked Let's Encrypt whether the owners of the spared certs have been told they have extra time. Evidently, they haven't.
"The original set of affected subscribers for whom we have email addresses were sent an email letting them know of the error with their certificates," a spokesperson said.
"That email guided them to our forum to get help and the most updated information. The forum is the best place to interact with Let's Encrypt, so we aim to drive people there as much as possible." ®