Tag Archive for: revoke

Let’s Encrypt discovers CAA bug, must revoke customer certificates

/in
Unfortunately, most if not all Let's Encrypt users will need to manually force-renew their certificates before Wednesday. It's at least an easy process.

Enlarge / Unfortunately, most if not all Let’s Encrypt users will need to manually force-renew their certificates before Wednesday. It’s at least an easy process. (credit: Adobe)

On Leap Day, Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.

The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it. As a result, Let’s Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can’t be certain are legitimate, saying:

Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.

If you’re not able to renew your certificate by March 4, the date we are required to revoke these certificates, visitors to your site will see security warnings until you do renew the certificate.

Let’s Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let’s Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

Read 6 remaining paragraphs | Comments

Biz & IT – Ars Technica

DHS CISO: Revoke security clearance of feds who keep falling for phishing scams

/in

Numerous federal agencies rely on legacy systems that have security bolted on as an afterthought instead of security “being deeply embedded” in the systems. It is unsurprising that such older hardware, software and operating systems are vulnerable to intrusions. But sometimes security problems have more to do with human vulnerabilities – stupid PEBKAC and ID10T errors committed by the person behind the keyboard – than legacy systems. If the same people who handle sensitive government information also keep falling for phishing scams, should they have their security clearance revoked? Indeed they should, according to DHS chief security officer Paul Beckman.

To read this article in full or to leave a comment, please click here

Network World Security

Adobe to revoke crypto key abused to sign malware apps (corrected)

/in

Adobe is revoking a cryptographic key used to confirm the authenticity of its applications after discovering it was compromised by attackers who abused it to validate malicious software.

The “inappropriate use” of the Adobe code signing certificate was pulled off by attackers who compromised a build server used to compile and package the company’s applications, Adobe officials said in a statement published on Thursday. The server had access to the Adobe code-signing infrastructure, which forensic investigators have determined was used to sign two samples of malicious software.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” officials wrote. The private key associated with the code validation process was stored in hardware security modules and weren’t extracted during the intrusion, Adobe investigators determined. There is no evidence that any source code was stolen.

Read 4 remaining paragraphs | Comments


Ars Technica » Technology Lab