← Internet Security Research Group cases
Bugzilla #1742704 Certificate Problem Report

Let's Encrypt: Potential Denial of Service against websites with broad private key reuse

RESOLVED FIXED Internet Security Research Group
AI Summary

Let's Encrypt identified a bug in their ACME implementation that could lead to a denial of service by allowing unauthorized revocation of certificates. The issue arose when a certificate was revoked using the 'keyCompromise' reason without proper proof of control over the private key, leading to a cascading revocation of approximately 130,000 certificates. A patch was deployed within eight hours of discovery, and the incident was reported to the CA/B Forum Management list for responsible disclosure. The bug highlights potential vulnerabilities in ACME implementations and the need for stringent controls during certificate revocation.

Model: gpt-4o-mini Generated: 2026-06-13 21:15 UTC Confidence: 0.90
Chronology
  1. Bug discovered and patch deployed
  2. Incident reported to CA/B Forum Management list
Participants
J.C. Jones [:jcj] Ben Wilson
External References
Original Bugzilla Case github.com letsencrypt.org
Similar Local Cases
#1886876 RESOLVED Certificate Problem Report Opened 2024-03-21 · Closed 2024-04-17 · 58% similar
Let's Encrypt: keyCompromise key blocking deviation from CP/CPS
AI Summary CA Owner
#1799755 RESOLVED Certificate Problem Report Opened 2022-11-08 · Closed 2024-05-09 · 58% similar
Let's Encrypt: End Entity CRLs Not Reissued On Time
AI Summary CA Owner
#1648840 RESOLVED Certificate Problem Report Opened 2020-06-26 · Closed 2023-02-22 · 58% similar
Let's Encrypt: OCSP responses with no revocationReason
AI Summary CA Owner
#1921573 RESOLVED Certificate Problem Report Opened 2024-09-27 · Closed 2024-11-06 · 51% similar
Let's Encrypt: No Meaningful Subject Distinguished Name
AI Summary CA Owner
#1625322 RESOLVED Certificate Problem Report Opened 2020-03-26 · Closed 2023-02-22 · 51% similar
Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours
AI Summary CA Owner
#1955721 RESOLVED Certificate Problem Report Opened 2025-03-21 · Closed 2025-06-10 · 50% similar
Let's Encrypt: Failure to Document Analysis of Detected Vulnerabilities
AI Summary CA Owner
#1793114 RESOLVED Certificate Problem Report Opened 2022-09-30 · Closed 2023-02-22 · 50% similar
Let's Encrypt: Incomplete and Inconsistent CRLs
AI Summary CA Owner
#1462735 RESOLVED Certificate Problem Report Opened 2018-05-18 · Closed 2023-02-22 · 50% similar
Let's Encrypt: Case-sensitive CAA tag processing
AI Summary CA Owner

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action