Let’s Encrypt Certificates – Are They Broken?

Short answer: No.

There is a news story going around about an issue with certificates issued by Let’s Encrypt. The certificates themselves are in fact perfectly fine, but they were issued when they should not have been.

If the owners of a domain (say port.ac.uk) decide to, they can publish a record in the DNS (we don’t) which specifies what certificate authorities are authorised to issue certificates within that domain.

The Let’s Encrypt bug was in relation to checking those CAA records when multiple names appeared in the certificate; it mistakenly checked just one of the names. Thus in some circumstances it could issue certificates it wasn’t supposed to.

Let’s Encrypt are correcting this mistake by issuing revocation certificates marking the relevant certificates as invalid. If a certificate is revoked the site will still work, but it’s security indicator in the location bar will turn red :-

Rather than :-

Even a broken certificate still encrypts the traffic in transit; it “merely” no longer trusts the server’s identity. It is unlikely that you will encounter broken web sites under such circumstances :-

  1. No port.ac.uk sites should have been issued with a broken certificate – we don’t publish the relevant DNS record, so Let’s Encrypt wouldn’t have run through the broken check process.
  2. Very few “mainstream” large web sites will use Let’s Encrypt certificates.
  3. Those sites that do use Let’s Encrypt certificates will have received notification if their certificate was due to be revoked, and will have renewed it (it’s free).

There is the chance that some neglected minor sites will show up as the red padlock icon (meaning “not secure”) and as usual if you see the warning :-

If you see such a warning, trust neither the content nor the identity of the site you are connecting to.

This entry was posted in General. Bookmark the permalink.