← Internet Security Research Group cases
Bugzilla #1735247
Certificate Misissuance
Let's Encrypt: Mis-issued certificates related to SC48v2
RESOLVED
FIXED
Internet Security Research Group
AI Summary
Let's Encrypt identified a mis-issuance of certificates due to a software bug that allowed certain domain labels that violated the new Baseline Requirements effective October 1, 2021. Upon receiving a report on October 11, 2021, they halted issuance, confirmed the issue, and deployed a fix within hours. Affected certificates were revoked promptly, with a total of seven certificates identified as non-compliant. The incident was resolved with a full incident report to follow.
Chronology
- New Baseline Requirements (Ballot SC48v2) went into effect.
- Mis-issuance report received; issuance halted.
- Fix deployed and issuance restored.
- Audit revealed 7 affected certificates, which were revoked.
Participants
Jillian Karner
Brett Wilson
External References
Similar Local Cases
Let's Encrypt: TLS Using ALPN Allows Additional Identifiers in Challenge Certificate
Let's Encrypt: Gen Y Cross-Certified Subordinate CAs missing serverAuth EKU
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
Let's Encrypt: CAA Misissuances
GlobalSign: Issuance of test certificate (pre-certificate) for EV SSL/QWAC with no EKU extension
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
FNMT: LDAP URI in CRL Distribution Points Extension
Telia: S/MIME certificates issued in violation of S/MIME BR v1.0.1