security Be Careful : Million "Let's Encrypt" SSL Certificates will be revoked!

[Pay.My.id]

Due to a bug in CAA code, Let’s Encrypt , free SSL certificate authority , will revoke 3 million SSL Certificates! Unless you renew your certificate before their revocation, your website users will see a RED SECURITY warning on your websites. That is a sign to potentially push your customers away from you and I think you want to avoid it.

 

[Paul]

I mean, years ago, we used self signed SSL for our own use, and offered nonSSL login for nonadmin users. It worked well, because we didn't require any criticial info... If we used such self-signed certificate, in today's browser we wouldn't be able to login... I know this all depends on difficulty of factorizing big numbers into its prime factors, but there must be some details in practice, and devil might be in those details. There might be totally trustable services, but it is imossible to know which ones are so, and if you use your own cert, then the browser prevents access, this is what makes me angry. I mean you can probably protect yourself against everyone, except bigbro, but this may not be enough.

Self-signed certs still work, but they’re strongly discouraged. Because you lose all authentication, you essentially also lose all encryption—unless you’re doing some heavy math by hand, someone can MITM you and you won’t be able to tell the difference.

The correct way around this—assuming you don’t want to use existing PKI—is to make your own CA, trust that CA on the devices you’ll be using, and issue certs as you see fit. That will work just fine and is quite secure if done correctly. It’s actually fairly easy to do.

 

[Pay.My.id]

Another confirming update from LetsEncrypt :

For the remaining 1M certificates that we could not confirm were replaced, we determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline. We will continue revoking these certs as they are replaced.

 

[kam]

I keep getting
"ConnectionResetError: [Errno 104] Connection reset by peer"
error from letsencrypt when I try to request the cert for multi domains.
Their server seems having overload issue

 

[Pay.My.id]

I keep getting
"ConnectionResetError: [Errno 104] Connection reset by peer"
error from letsencrypt when I try to request the cert for multi domains.
Their server seems having overload issue

Its seems Letsencrypt still continuing to solve some important bug

 

[kam]

Its seems Letsencrypt still continuing to solve some important bug

They revoke million of cert and as a result they have to handle million of new cert request within short period on top of their normal operation. That's why their server got overload

 

[Pay.My.id]

They revoke million of cert and as a result they have to handle million of new cert request within short period on top of their normal operation. That's why their server got overload

Agree,

I'm sure LetsEncrypt able to solve that problem ,because their service used by million website in the world.

 

[dande]

And unfortunately the browsers have stopped marking EV certs which IMO was an important trust signal to users

That's one of the greatest disservice Google's Chrome has done to web users. EV marking has been a great trust indicator until Google in their wisdom stopped marking it.

Now, no one sees the need of using EV anymore. Every sites are now the same.

 

[Paul]

That's one of the greatest disservice Google's Chrome has done to web users. EV marking has been a great trust indicator until Google in their wisdom stopped marking it.

Now, no one sees the need of using EV anymore. Every sites are now the same.

It is not and never has been a good indicator--it's just security theater. That's not to say I agree with all of the Chrome team's security decisions, but EV certificates are really quite useless.

 

[dande]

It is not and never has been a good indicator--it's just security theater. That's not to say I agree with all of the Chrome team's security decisions, but EV certificates are really quite useless.

I slightly disagree.

Viewing those green bars on your browser and seeing the company's names and which country they are located creates instant trust to users. Now that they are gone, customers has to do extra quick research to verify the company they're dealing with.

 

[Paul]

I slightly disagree.

Viewing those green bars on your browser and seeing the company's names and which country they are located creates instant trust to users.

Exactly--that's the problem. It's not that difficult to obtain a fake EV certificate. Showing that green bar creates a false sense of security.

That's not the say the concept of EV certificates isn't a good one--if they were actually difficult to obtain, and they could actually guarantee that the website were operated by the listed entity, then they'd be awesome.

There's another problem: while the presence of an EV certificate indicator might increase trust, lack of such an indicator doesn't decrease trust. Someone who receives a phishing email and clicks the link isn't going to notice that the indicator to which they're accustomed is missing. This is why we don't often see fake EV certificates in practice: there isn't much point.

 

[Steven McEvoy]

Run your domains through https://checkhost.unboundtest.com/

to see if it has been affected

 

[Pay.My.id]

Run your domains through https://checkhost.unboundtest.com/

to see if it has been affected

Thank you ... Its work properly when I check some client website

 

[The Durfer]

is this why i havent been able to see my dynadot landing pages? My new updated microsoft edge windows 10 internet explorer keeps blocking all my domains. I wonder if its the ssl?

 

[tonyk2000]

is this why i havent been able to see my dynadot landing pages? My new updated microsoft edge windows 10 internet explorer keeps blocking all my domains. I wonder if its the ssl?

Must be something else. As per detailed extra announcement on community.letsencrypt.org they decided to revoke only already replaced certs, as well as a few hundred of certs which should have definitely not been issued. Did you try to check the status of your domains on https://checkhost.unboundtest.com ?

 

[The Durfer]

Must be something else. As per detailed extra announcement on community.letsencrypt.org they decided to revoke only already replaced certs, as well as a few hundred of certs which should have definitely not been issued. Did you try to check the status of your domains on https://checkhost.unboundtest.com ?

yes unknown host

 

[Pay.My.id]

is this why i havent been able to see my dynadot landing pages? My new updated microsoft edge windows 10 internet explorer keeps blocking all my domains. I wonder if its the ssl?

If there still some little problem with ssl , we could use simple step by using another free SSl from cloudflare ,but we need to change nameserver from cloudflare and activate full ssl mode or flexible SSL for a moment. Anytime , we could move to current SSL .