What happens when you suddenly discover your website is now telling the world it’s no longer safe to use?
Some very well-known websites have found themselves in this predicament and could stop functioning properly from Wednesday, 4th of March, after a bug was found in the digital certificates used to secure them. The organisation (Let’s Encrypt) that issues the certificates revealed that three million need to be immediately revoked. Visitors to affected sites will be greeted with an alert warning them the site they are visiting is insecure.
Let’s Encrypt is an automated and Open Certificate Authority (CA) project backed by Google, CISCO and Facebook. The key principles behind Let’s Encrypt are:
• Automatic: Software running on a web server can interact with Let’s Encrypt to obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt serves as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic assurance and renewal protocol will be published as an open standard that others can adopt.
• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
What’s the consequence of the problem with security certificates?
Due to a critical failure in the issuing of security certificates all issued certificates will be revoked by Let’s Encrypt. A move that could mean that millions of websites and/or machines, which rely on protecting data in transit, could be marked as insecure or, worst of all, become unavailable. Most versions of web browsers will now alert you to broken, invalidated or insecure websites.
How long do we have to fix this?
All certificates need to be re-keyed before March 5 2:00am (GMT). Something which hasn’t gone down well in the industry.
Although, in our opinion, it’s better to rid the Internet of this flaw as soon as possible and just take it on the chin.
Is there anything you need to do?
If you are a Tickbox hosting client with an SSL certificate, then no. Your websites will be absolutely fine, we are keeping an eye on things. Our regular server maintenance and system checks always make sure that things are running as smoothly as possible.
If you aren’t hosting with us, then I think the question is why not? We’d be more than happy to facilitate any work or transfer to our services.
If you are interested in finding out more about services, then please do get in contact with us. Either by filling out our contact form, emailing us directly or calling 0117 3250091.