Skip to main content
banner image
venafi logo

Let’s Encrypt Stops Certificate Hijack Flaw: Can Our Industry Do More?

Let’s Encrypt Stops Certificate Hijack Flaw: Can Our Industry Do More?

let's encrypt certificate hijack flaw
January 24, 2018 | Eva Hanscom

Earlier this month, Let’s Encrypt spotted an issue in ACME protocol’s TLS-SNI-01 challenge process. Cyber attackers could have used this vulnerability to obtain certificates they did not own.

Here’s what could happen if hosting providers aren’t carefully controlling subdomains: “The ACME server looks up the domain name’s IP address, initiates a TLS connection, and sends the specific .acme.invalid hostname in the SNI extension,” said ISRG executive director, Josh Aas. “If the response is a self-signed certificate containing that hostname, the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it.” But the problem is that the requester may or may not be the owner of that domain.

As a result of the vulnerability, Let’s Encrypt disabled TLS-SNI-01 for most major web service providers. Let’s Encrypt’s quick response is commendable, however, there is only so much the certificate authority can do when responding to these kinds of events.

“Let’s be clear -- this is really about weak security practices by some hosting providers,” says Hari Nair, director of cryptographic research for Venafi. “Let’s Encrypt has mitigated the damage to a certain extent, but ultimately, the effectiveness of their steps depends on how well hosting providers implement certificate security on their end.”

Despite the intensity of this issue, it may be awhile before we see an industry wide response. “It’s possible that there could be a spate of revocations in response to this event,” Nair continues. “The reality is that detection of mis-issued certificates is extremely hard and checking for revocation status is not something that the industry has traditionally done well, so it’s not clear how much impact revocations will have.”

However, we may see additional impact and revocations due to the evolving relationship between CAs and web browser companies.

“Google’s move to require Certificate Transparency for *all* certificates, including DV certs, will help surface these kind of issues sooner, but that move is currently slated for April 2018. In the meantime, the only thing organizations can do to protect themselves is to stay vigilant in their efforts to monitor for mis-issued or maliciously issued certificates. The problem is that the vast majority of organization don’t have the technology they need to do this,” concludes Nair.”

Are your certificates safe?

Related blogs

Like this blog? We think you will love this.
hands of a puppet master, pulling strings
Featured Blog

Reductor Malware Cleverly Manipulates TLS

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat