EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

03.04.20

Techrights Urges Readers to Ask the Linux Foundation’s Let’s Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Posted in GNU/Linux, Security at 3:43 am by Dr. Roy Schestowitz

Logo of Let's Encrypt

Summary: It’s not impossible that the bug in Let’s Encrypt was introduced by a rogue insider, if not someone further up above; Let’s Encrypt must address critical questions or be widely seen as a compromised, untrustworthy CA

JUST like the Linux Foundation, Let’s Encrypt is using Microsoft GitHub for their site and for their code. So much for security, eh? It’s owned by Microsoft, possibly the NSA’s closest partner. But putting that aside, today’s certificates avalanche led us to discovering that the Foundation's executive who came there from James Clapper's office has left the Foundation (she vanished from the management's page). It’s likely just a coincidence, but bringing that up isn’t crazy. We wrote about half a dozen articles already about how the Linux Foundation works for ‘surveillance capitalism’ and the ‘security state’. It’s a matter of public record and it’s easily provable using basic open source intelligence (OSINT).

At work last night, I actually had to step in for clients and urgently change certificates (to avert downtime of critical services). The fiasco is starting to show up in more of the media (but not much of it so far).

We have some facts. For instance, it is clear that somebody changed the code and we don’t know when exactly. This article explains that “Let’s Encrypt explained on Tuesday [less than a day early] it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.”

Here’s what they told the writer: “Josh Aas, executive director of Let’s Encrypt, said in a statement to Threatpost, “A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements.””

According to this, “Let’s Encrypt will be revoking 3,048,289 currently-valid certificates” (notice how they’re contradicting themselves with the numbers).

“As part of the rules for this feature,” it adds, “authorities must check CAA records at most 8 hours before a certificate is issued.”

Also: “With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues.”

Yes, I should know. This caused much alarm where I work. It’s a fiasco.

We urge readers to ask Let’s Encrypt the following questions (maybe more, maybe less)

  • When did you find out about this bug?
  • Why was it not there before?
  • Which worker is responsible for this bug?
  • When was this worker hired?
  • Is this worker still working for you?
  • Why were the certificates all revoked so fast?
  • Why was this barely announced to the public? Should the Foundation not shout from the rooftops to avert disasters (as opposed to saving face)?
  • Were particular parties/stakeholders informed well in advance?
  • Were government entities informed in advance (in the name of “national security”) and, if so, how long in advance?

The E-mail address to reach them on: security@letsencrypt.org

Alternative/additional E-mail: press@letsencrypt.org

Please share their answers, if any, with us.

If they fail to even respond to these questions, that will not inspire confidence, will it?

Remember Gemalto?

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email
  • Slashdot

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. IRC Proceedings: Sunday, August 09, 2020

    IRC logs for Sunday, August 09, 2020



  2. Release: Bill Gates' Engineer Busted for More Child Pornography Than Reported in the Media

    Based on our analysis, which was repeated carefully twice, the sum of recognised hashes turns out to be about 7,500 (7,430 objects), which is more than was reported in the media after the arrest of Rick Allen Jones at Bill Gates' mansion



  3. Links 10/8/2020: KPhotoAlbum 5.7.0 and MX Linux RC

    Links for the day



  4. UserLibre: What I Want You to Get From This Book

    "Corporate-backed lies run the world, and the FSF used to get in the way."



  5. Even the Mainstream/Corporate Media is Trying to Study Why (or If) Bill Gates and Epstein's Sex Abuse Ring Were Closely Connected

    People in the media are eager to understand why Mr. Gates was so close to Mr. Epstein and even flew his plane (despite having several of his own)



  6. The Incredible Demise of News Sites About Patents

    Sites for (and by) patent lawyers/attorneys seem to be perishing, which means it's hard to know what's going on



  7. Understanding Users and the Three Kinds of Computers: New, Slow and Broken

    "Understanding the user is the first step towards a practical response to misconceptions."



  8. The Good and Bad of a (GNU?) BSD (not GNU/LINUX) Future

    "The software industry now occupies Free software's own territory. No longer is it Free software vs. Windows and MacOS, it's Free software vs. GIAFAM-co-opted Free software."



  9. Links 9/8/2020: Popcorn Computers Pocket PC and New Interview With Richard Stallman

    Links for the day



  10. Education and Free Software

    "If students learn how to code, they'll be able to figure out the applications."



  11. Features Considered Harmful (Revised)

    "But the benefits of Free software, free candy and new features are all meaningless, if the user isn't in control."



  12. If We Weren't Silencing Founders, Critics and People We Just Don't Like

    In the long run, history is rarely very kind to tyrants, especially the ones who did little more than lie to people and demand things that served no real purpose."



  13. I Would Have Supported the Coup (Under Very Different Circumstances)

    Richard Stallman's (rms) ordeals are showing us how not to deal with a founder; this is how power transition could be done instead, according to figosdev



  14. It Looks Like Red Hat's (IBM) Fedora Project May be 'Outsourced' to Amazon's Datacentres

    In "seeking a more modern and cost effective location" for Fedora Infrastructure it seems to have been decided, privately, that Amazon (AWS) would be the new home of this project; but there's sufficient obfuscation surrounding the matter and many people seem to be totally unaware



  15. IRC Proceedings: Saturday, August 08, 2020

    IRC logs for Saturday, August 08, 2020



  16. Fearmongering Was Originally an IBM Thing, Not a Microsoft Thing

    Microsoft made FUD famous, but it was actually IBM’s practice that made it commonplace in the first place (the term or acronym was coined before Microsoft even mattered and on the same year Microsoft was founded)



  17. [Meme] People Get Fired for Being Bought by IBM (With a Crummy Severance Package)

    IBM used to proudly provide job security and one could have a job there for decades (career ladders and worker benefits of all sorts are what some people assess this when looking for an employer, e.g. whether they can progress, get promoted, stay onboard); by today’s standards only a month’s salary is exceptionally bad, especially when one gets fired without warning, but this is what IBM did to some Red Hat employees



  18. New FSF Video Makes the Case Against Microsoft GitHub (and Similar), So Why is the FSF's Board Being Filled Up With Active GitHub Users?

    The FSF makes a good point about “important values like autonomy, sharing, social responsibility, and collaboration” — the very things that are under attack by Microsoft’s GitHub, which is all about coercion and monopolistic control over developers



  19. Techrights is Not Against Microsoft

    It may be a suitable time to explain why Microsoft is mentioned so much and why it's not a fixation but a reactionary priority



  20. The THRIVE Guidelines

    "Nobody is perfect, and it's obvious that people already hold some to a more unreasonable interpretation of their standards than others."



  21. Links 8/8/2020: Mageia 8 Hits Beta and FSF Has New Video

    Links for the day



  22. [Meme/History] OpenPOWER or Just White POWER?

    Antiwar and anti-nukes activists cannot support those causes and support IBM at the same time, as the founder’s son (father received a medal from the Nazi Party) flew “an American heavy bomber” and enjoyed a track record of nepotism, propelling him to the top both in the military and at IBM



  23. Rebuilding Communities

    "First, we should talk about how our communities have regressed."



  24. [Meme] Microsoft in 2020: Liaising With Criminals to Make Crime the New Normal

    As the TikTok situation serves to show, Microsoft is little but a criminal cult that relies on other criminals to do Microsoft's biddings



  25. The Computer Anybody Can Edit

    "Without rebuilding and recompiling all of the packages on a large distribution, it is possible to "remaster" an ISO and get a different system -- even before you install it."



  26. Former Microsoft Employee on So-called 'Journalists' Being Blackmailed by Microsoft

    Mitchel Lewis, a former Microsoft employee, remarks on Mary Jo Foley being 'punished' by Microsoft for not mindlessly publishing Microsoft propaganda (we remarked on this before as she had spoken to me about this over a decade ago)



  27. IRC Proceedings: Friday, August 07, 2020

    IRC logs for Friday, August 07, 2020



  28. For the Want of a Pixel

    "It is still possible to win, but the FSF has practically left the field."



  29. Ubuntu and Fedora Project Serving Microsoft

    The Ubuntu 'community' as well as the 'community' component of Red Hat (IBM) don't view Microsoft as a rival; over a decade ago Mark Shuttleworth accused Microsoft of "extortion" and "racketeering" (his words), but now he's paid to change his tune



  30. (Don't Let's) Throw Caution to the Wind

    "As it will become crucial to explain, the effect of all this dancing around truth and reality was to transform a volunteer force primed to bring freedom to users into cheap labour for an industry that exploits everyone in it -- all the way to the very top of Open Source itself."


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts