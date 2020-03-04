Experts Reaction On Millions Of Websites Face ‘Insecure’ Warnings

Some well-known websites could stop functioning properly on Wednesday, 4 March, after a bug was found in the digital certificates used to secure them, the BBC reported last night.The organisation that issues the certificates revealed that three million need to be immediately revoked.

Visitors to affected sites will be greeted with an alert warning them the site is insecure. One expert said the issue could result in a “loss of trust”. In a notification email to its clients, the organisation said: “We recently discovered a bug in the Let’s Encrypt certificate authority code.

“Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue.”

EXPERTS COMMENTS
Kevin Bocek, VP Security Strategy & Threat Intelligence,  Venafi
March 05, 2020
Angry customers, angry executives.
Digital certificates, such as those issued by Let’s Encrypt, provide machines – be that websites, servers, applications, IoT devices, everything – with a unique identity to enable encrypted and secure communication with other machines. Most recognisably, perhaps, is that they enable the little padlock in the URL bar which tells us that a site has been secured; or in this case, a lack of a ce ....
Ted Shorter, CTO ,  Keyfactor
March 05, 2020
Everyone makes mistakes. It’s commendable for Let's Encrypt to be proactive and revoke so many certs.
Everyone makes mistakes. It’s commendable for Let's Encrypt to be proactive and revoke so many certs, but it certainly could cause significant outages if these revoked certs are not replaced quickly. Many treat the automated enrollment and renewals as a ‘set and forget’ technology, but this shows that even shorter cert lifespans and automatic enrollment are not substitutes for full-featured ....
Jake Moore, Cybersecurity Specialist,  ESET
March 04, 2020
Affected businesses will need to quickly apply for a new certificate.
Digital certificates help protect the transfer of information between the website and user. This secure connection helps deliver trust, which is at the heart of the World Wide Web. Affected businesses will need to quickly apply for a new certificate which could result in a temporary notice on website saying that they are “not secure”. This will undoubtedly cause many users to worry that thei ....
Israel Barak, Chief Information Security Officer ,  Cybereason
March 04, 2020
We are all measured on how we communicate and help our customers and partners manage risk.
There is only an immediate established risk for Let's Encrypt's customers having their identity or the identity of their systems compromised if an attacker is producing bogus certificates or masquerading as a certificate provider. My primary concern is why isn't my anchor of trust, the CA provider, in this case, Let's Encrypt, being transparent about what has happened? If they are being transparen ....
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
March 04, 2020
Assuming that any certificate will remain valid until its complete expiration date is unrealistic.
Certificate revocation, while rare, does occur and web site owners should be prepared for this situation. Assuming that any certificate will remain valid until its complete expiration date is unrealistic. While it is inconvenient to perform an emergency update, processes should be in place within an organisation to handle such scenarios. ....
Chad Anderson, Research Engineer ,  DomainTools
March 04, 2020
Certificates through Let’s Encrypt are not meant for manual renewal.
Let’s Encrypt is a free certificate service that came along to offer encryption for domains that administrators could prove ownership of via certain types of records. They then issue a certificate for a short period of time that has to be renewed often and with proof of ownership. While this is a startling bug due to the short-lived time frame of Let’s Encrypt certificates, all good system ad ....
