Overnight, Let’s Encrypt announced that they had a potential vulnerability and disabled part of their SSL certificate issuing infrastructure. At 09:35, further details were made available, revealing that the vulnerability affected shared hosting providers with a particular setup. Unfortunately, our Professional Hosting services matched that configuration, so we immediately set about taking steps to mitigate the vulnerability, ahead of being contacted by Let’s Encrypt.
As we provide a simple, one-click process for enabling Let’s Encrypt SSL, there is no reason for a potential attacker to upload an SSL certificate containing data for the .acme.invalid domain name, so we have simply prevented certificates with records matching that from being uploaded.
The Professional Hosting platform is now secure against this vulnerability. As our other platforms are not shared hosting, this vulnerability does not affect them.