Let’s Encrypt vulnerability

Overnight, Let’s Encrypt announced that they had a potential vulnerability and disabled part of their SSL certificate issuing infrastructure.  At 09:35, further details were made available, revealing that the vulnerability affected shared hosting providers with a particular setup.  Unfortunately, our Professional Hosting services matched that configuration, so we immediately set about taking steps to mitigate the vulnerability, ahead of being contacted by Let’s Encrypt.

As we provide a simple, one-click process for enabling Let’s Encrypt SSL, there is no reason for a potential attacker to upload an SSL certificate containing data for the .acme.invalid  domain name, so we have simply prevented certificates with records matching that from being uploaded.

The Professional Hosting platform is now secure against this vulnerability.  As our  other platforms are not shared hosting, this vulnerability does not affect them.

Comments

There are 2 comments on “Let’s Encrypt vulnerability

  1. Paul Mead (Silicon Bullet) January 16, 2018

    That’s great – glad to see you responded quickly.

    Reply
    • Stuart Melling
      Stuart Melling January 17, 2018

      Thanks Paul, we try to keep on top of events like these as best we can and as quickly as we can.

      Reply

Sign up to our newsletter

Get the latest tutorials, videos and special offers from 34SP.com.

Thanks for signing up!