certificates

now browsing by tag

 
 

#cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates

Source: National Cyber Security – Produced By Gregory Evans

Beginning today, Let’s Encrypt is revoking more than 3 million of its Transport Layer Security (TLS) certificates, following the discovery of a bug that affects the way it rechecks CAA (Certificate Authority Authorization) records.

“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days,” explained Jacob Hoffman-Andrew, Let’s Encrypt engineer, in a Feb. 29 post on the on-profit certificate authority’s website. However, in cases where cert issuance is delayed for more than eight hours, Let’s Encrypt must recheck CAA records, even though the records were originally checked during the domain control validation process. That’s where the vulnerability comes into play.

Hoffman-Andrew described the bug, which was introduced on July 25, 2019, as follows: [W]hen a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

Altogether, 3,048,289 certificates are infected, or roughly 2.6 percent of the approximately 116 million active certificates issued by Let’s Encrypt, which is operated by the San Francisco, Calif.-based Internet Security Research Group. One million of these are duplicates of certificates that typically are reissued on a frequent basis, Hoffman-Andrew further explained on the Bugzilla website as well as in an FAQ page on the Let’s Encrypt site.

Let’s Encrypt identified its CA software vendor is Boulder. The cert authority said the bug was originally reported by a Let’s Encrypt community member on February 18 and was fixed on Feb. 29. Let’s Encrypt has since created a tool for users to determine if they are affected by the vulnerability. Affected subscribes are encouraged to renew and replace their impacted certificates.

Original Source link

The post #cybersecurity | hacker | Bug prompts Let’s Encrypt to revoke over 3M TLS certificates appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Over 750,000 Applications for US Birth Certificates Left Exposed Online

Source: National Cyber Security – Produced By Gregory Evans

Quick question, were you born in the United States? Have you recently applied for a new copy of your birth certificate? Well, you could be one of the unfortunate people whose birth certificate application was left exposed online.

It has been reported that more than 750,000 applications for copies of U.S. birth certificates have been left exposed without any access control in a misconfigured cloud server within an Amazon Web Services (AWS) storage bucket.

https://securityboulevard.com/

*** This is a Security Bloggers Network syndicated blog from comforte Insights authored by Thomas Stoesser. Read the original post at: https://insights.comforte.com/over-750000-applications-for-us-birth-certificates-left-exposed-online

Source link

The post #cybersecurity | #hackerspace |<p> Over 750,000 Applications for US Birth Certificates Left Exposed Online <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Birth certificates being revised for same-sex couples’ kids

More than a year after West Virginia officials began issuing marriage licenses to same-sex couples, state birth certificates for adopted children still list “mother” and “father” next to the blanks for the parents’ names.

Unlike other states that are resisting changing the certificates, the West Virginia Department of Health and Human Resources has said birth certificates are being revised and will be ready to be distributed early next month, The Charleston Gazette-Mail reports (http://bit.ly/1Jbyiok).

Department spokesman Toby Wagoner said this week that the process started several months ago, but software updates had caused the changes to take some time.

American Civil Liberties Union of West Virginia attorney Jamie Lynn Crofts said inaccurate birth certificates can lead to greater scrutiny or even rejection of the birth certificates by organizations that require the birth certificate as proof of the parental relationship.

Read More

The post Birth certificates being revised for same-sex couples’ kids appeared first on Parent Security Online.

View full post on Parent Security Online

Google catches French govt spoofing its domain certificates

  France’s cyberdefence division, Agence nationale de la sécurité des systèmes d’information (ANSSI), has been detected creating unauthorised digital certificates for several Google domains. Google states on its own security blog that an intermediate certificate authority (CA) issued the certificate, which links back to ANSSI. “Intermediate CA certificates carry the full authority of the CA, so anyone who has […] View full post on Gregory d. evans