Bonum Certa Men Certa

Techrights Urges Readers to Ask the Linux Foundation's Let's Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Logo of Let's Encrypt



Summary: It's not impossible that the bug in Let's Encrypt was introduced by a rogue insider, if not someone further up above; Let's Encrypt must address critical questions or be widely seen as a compromised, untrustworthy CA

JUST like the Linux Foundation, Let's Encrypt is using Microsoft GitHub for their site and for their code. So much for security, eh? It's owned by Microsoft, possibly the NSA's closest partner. But putting that aside, today's certificates avalanche led us to discovering that the Foundation's executive who came there from James Clapper's office has left the Foundation (she vanished from the management's page). It's likely just a coincidence, but bringing that up isn't crazy. We wrote about half a dozen articles already about how the Linux Foundation works for 'surveillance capitalism' and the 'security state'. It's a matter of public record and it's easily provable using basic open source intelligence (OSINT).



At work last night, I actually had to step in for clients and urgently change certificates (to avert downtime of critical services). The fiasco is starting to show up in more of the media (but not much of it so far).

We have some facts. For instance, it is clear that somebody changed the code and we don't know when exactly. This article explains that "Let’s Encrypt explained on Tuesday [less than a day early] it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates."

Here's what they told the writer: "Josh Aas, executive director of Let’s Encrypt, said in a statement to Threatpost, “A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements.”"

According to this, "Let's Encrypt will be revoking 3,048,289 currently-valid certificates" (notice how they're contradicting themselves with the numbers).

"As part of the rules for this feature," it adds, "authorities must check CAA records at most 8 hours before a certificate is issued."

Also: "With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues."

Yes, I should know. This caused much alarm where I work. It's a fiasco.

We urge readers to ask Let's Encrypt the following questions (maybe more, maybe less)



The E-mail address to reach them on: security@letsencrypt.org

Alternative/additional E-mail: press@letsencrypt.org

Please share their answers, if any, with us.

If they fail to even respond to these questions, that will not inspire confidence, will it?

Remember Gemalto?

Recent Techrights' Posts

Windows is an Unnatural Disaster, It is Also Avoidable
there's a wide window of opportunity opening
Killing the News With Spam and Slop Benefits Those Whose Desire is an Uninformed Population
adoption of Free software depends indirectly on political activities/activism
Open Source Initiative (OSI) Privacy Fiasco in Detail: An Introduction
Perhaps tomorrow or perhaps next week we'll share more information about what happened and what was reported to the California Privacy Protection Agency
IBM's BS (Bait, Switch) Regarding Ways to Stay Onboard
PIPs, RTOs, and forced relocations are just an illusion of choice (or ability to recover)
Banned evidence: Ars Technica forums censored email predicting DebConf23 death, Abraham Raji & Debian cover-up
Reprinted with permission from Daniel Pocock
 
Links 30/03/2025: "Quantum Randomness" and "F-1 Visa Revoked" in US
Links for the day
Gemini Links 30/03/2025: US as a Threat, Returning to the WWW
Links for the day
Links 30/03/2025: Judge Blocks Dismantling Of VOA, Turkey Arrested Many Journalists
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, March 29, 2025
IRC logs for Saturday, March 29, 2025
Judges Would Never Rule for Men Who Strangle Women or Against Women Who Merely Wrote Articles About Abuse They Had Received From Men
We don't intend to do "trial by media", so we won't be disclosing claims and defences until it's over
Gemini Links 29/03/2025: Less YouTube and More Station
Links for the day
In Some Countries, Such as Thailand, Firefox is Already Measured at Less Than 2% (One Day Firefox Will Get Blocked, Not Only Lack Support)
Web consolidation around Chrom-isms will doom the Web as we know it
Links 29/03/2025: Trademarks Battles, Fires Destroy More Than 3,000 South Korean Homes
Links for the day
Links 29/03/2025: More Crackdowns on Science, "Hey Hi" Slopping is Flopping
Links for the day
Costa Rica Almost Bankrupt Because of Microsoft
the incidents in Costa Rica are Windows incidents
Gemini Links 29/03/2025: Art of Looking, Wireguard, EMacs
Links for the day
Links 29/03/2025: Attacks on Social Security and War Updates
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, March 28, 2025
IRC logs for Friday, March 28, 2025
Intimidation, Threats, and Bullying Not Tolerated by Techrights
When it comes to our reporting, safety always comes first
A World Without Rules
We're long insisted on better laws and actual enforcement of them (applicable to all, not selectively applied)
statCounter Sees Microsoft Windows Falling to New, Unprecedented Lows in Palau
Taking Android into account, Windows is now down to an all-time low of 14%
Google News Lost the Fight to LLM Slop (While Google Itself Sells Slop, Nowadays Under the Name "Gemini")
Many people say that "Google is getting worse"; that's almost an understatement
Links 28/03/2025: AirAsia Trouble Again, UMich Culls All DEI Programs
Links for the day
Gemini Links 28/03/2025: Alexa is for Gullible People, Rant About Feature Overload
Links for the day
The SLAPPs From the Microsoft Strangler (and Sidekick) No Better Than Patent Trolling
one must never settle with trolls
Something to Celebrate in Gemini Protocol
More capsules and users join in
Links 28/03/2025: Last Reminder "to Delete Your 23andMe Data", "UK's First Permanent Facial Recognition Cameras Installed"
Links for the day
Microsoft Canonical Continues Its FUD (Fear, Uncertainty, Doubt) Campaign, Reveals Google Too Sponsored It
They're paid-for lies from a Chinese company that takes GAFAM money to write puff pieces about them
Android Rises Above 76% in Mozambique, Leaving Windows in the Dust
Windows may soon be measured as smaller than Apple's iOS
IBM, Red Hat and Microsoft Probably Also Manipulate Metrics (It Helps Con the Shareholders)
Wall Street's credibility will depend on enforcement of "checks and balances"
Slopwatch: trendhunter.com and Other Pure Junk From "Google News"
The need to vet sources is hardly new; anyone can spew out anything, anywhere. There's a need for vetting.
Gemini Links 28/03/2025: Rewatching The X-Files, Slop Concerns, and NOSTR Censorship
Links for the day
Links 28/03/2025: Australia at Risk, EPO Grants Illegal Patents With Illegal Effect
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, March 27, 2025
IRC logs for Thursday, March 27, 2025