Bonum Certa Men Certa

Techrights Urges Readers to Ask the Linux Foundation's Let's Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Logo of Let's Encrypt



Summary: It's not impossible that the bug in Let's Encrypt was introduced by a rogue insider, if not someone further up above; Let's Encrypt must address critical questions or be widely seen as a compromised, untrustworthy CA

JUST like the Linux Foundation, Let's Encrypt is using Microsoft GitHub for their site and for their code. So much for security, eh? It's owned by Microsoft, possibly the NSA's closest partner. But putting that aside, today's certificates avalanche led us to discovering that the Foundation's executive who came there from James Clapper's office has left the Foundation (she vanished from the management's page). It's likely just a coincidence, but bringing that up isn't crazy. We wrote about half a dozen articles already about how the Linux Foundation works for 'surveillance capitalism' and the 'security state'. It's a matter of public record and it's easily provable using basic open source intelligence (OSINT).



At work last night, I actually had to step in for clients and urgently change certificates (to avert downtime of critical services). The fiasco is starting to show up in more of the media (but not much of it so far).

We have some facts. For instance, it is clear that somebody changed the code and we don't know when exactly. This article explains that "Let’s Encrypt explained on Tuesday [less than a day early] it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates."

Here's what they told the writer: "Josh Aas, executive director of Let’s Encrypt, said in a statement to Threatpost, “A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements.”"

According to this, "Let's Encrypt will be revoking 3,048,289 currently-valid certificates" (notice how they're contradicting themselves with the numbers).

"As part of the rules for this feature," it adds, "authorities must check CAA records at most 8 hours before a certificate is issued."

Also: "With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues."

Yes, I should know. This caused much alarm where I work. It's a fiasco.

We urge readers to ask Let's Encrypt the following questions (maybe more, maybe less)



The E-mail address to reach them on: security@letsencrypt.org

Alternative/additional E-mail: press@letsencrypt.org

Please share their answers, if any, with us.

If they fail to even respond to these questions, that will not inspire confidence, will it?

Remember Gemalto?

Recent Techrights' Posts

Corporate Media: Blame the People Who Enter the Abandoned IBM Buildings, Not IBM for Abandoning Workers in Pursuit of IT Sweatshops
When the media spreads falsehoods stocks can go up (a lot higher), but at whose expense and how long for?
SUEPO Munich Report on the Recent EPO Demonstration and Rolling Strikes That Continue to Grow
"increasing registrations for the 'rolling strikes' running until autumn"
Gemini Links 11/07/2026: Old Computer challenge, Poems, Antenna, and More
Links for the day
 
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 11, 2026
IRC logs for Saturday, July 11, 2026
Blogs May be Making a Comeback (They're Not Fediverse, They Are Joined by RSS Feeds)
Don't fake expansion where none existed
ChromeOS and GNU/Linux in the United Kingdom Reach 11%
the UK shows signs of digital maturity
Canonical is Selling Microsoft, It Pays The Register MS to Sell Microsoft
It's all about money to them. And they call this journalism.
When Red Hat's HR Becomes the Same as IBM's HR (Bluewashing)
Red Hat keeps sacking very experienced engineers and adding temporary interns
GNU/Linux Growing in East Asia
Assuming this is more or less accurate, we could use a plausible explanation
Over a Week After Microsoft Discontinued Some XBox Models It Apparently Exits Some Markets Altogether
We seem to be witnessing the end of XBox
Links 11/07/2026: "Trademark wars of Influencer Culture", Xinuos Uses Copyrights Versus UNIX
Links for the day
North America: GNU/Linux Measured at 10%
To better understand what contributes to the gains
Following Corrections and Adjustments statCounter Sees GNU/Linux at 7.1%, an All-Time High
There is a lot of layoffs at Microsoft this month
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 10, 2026
IRC logs for Friday, July 10, 2026
Links 11/07/2026: Wednesday-Saturday News Catch-up
Links for the day
Prioritising High-Importance News
In order to fully catch up with news we'll not publish many new articles until next week
The Register MS: "AI" More Than 80 Times in One Article. But It's Not an Article, It's Sponsored Keyword-stuffed Page.
The Register MS is being paid to actively promoted this scheme
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 09, 2026
IRC logs for Thursday, July 09, 2026
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 08, 2026
IRC logs for Wednesday, July 08, 2026