By r0gu3Sec | October 25, 2016 - 15:41 | Posted in CyberGuerrilla | 1 Comment
Let’s Encrypt’s Vulnerability

Let’s Encrypt’s Vulnerability As a Feature – AUTHZ Reuse and Eternal Account Key

The growth of Let’s Encrypt is phenomenal 7 million certificates in last four months.

The remaining hurdle for automation is verification of domain ownership. Well, actually it is NOT true.

We were doing syntax testing – hoping to get the right kind of verification error … only to discover we have been successfully verified without providing any information.

Wle-certs-issued-june-22-2016hatever you say about let’s encrypt project, you can’t deny its success.

Issuance of certificates has been commoditized for a while and definitely ripe for disruption.

Let’s Encrypt is the disruption and its adoption, despite shorter validity of certificates issued by Let’s Encrypt CA, is exponential and really fast.

(Visited 198 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

This Post is Tagged with:

One Response to Let’s Encrypt’s Vulnerability

  1. As of last Thursday the validity is now 60 days! Goal is to eventually reduce this towards 7 days. Using cached domain authorization for issuance isn’t specific to Let’s Encrypt. Other CAs do this as well but with less visibility/control into the mechanics.

    You could issue a new certificate using an existing valid authz w/o solving a challenge before this feature existed. The reuse feature only addressed cases where the client asked for a new authz/challenge for a domain even though there already was a valid authz for that domain associated with the account. It was an optimization and did not change any security properties of the protocol or domain validation.