Fallout from the transition highlights the need for organizations to monitor and have processes for updating CA roots, experts say.
October 14, 2021
On Sept. 30, a root certificate provided by digital certificate authority (CA) Let's Encrypt expired, meaning that the tens of millions of websites and devices that used the cert had to have updated to a new root before then — or run into problems.
Devices, browsers, and domains that did not update faced widespread disruptions, since they could no longer validate the Let's Encrypt HTTPS certificates used to ensure encrypted communications on the Internet.
"As root CAs expire, any certificates that chain up to those roots will no longer be trusted," says Chris Hickman, chief security officer at Keyfactor. "This situation makes it imperative to monitor root CA expiration and manage root stores on end devices."
Scott Helme, founder of Security Header, described the transition in a blog post as affecting everything from legacy devices and technologies to the latest versions of iOS and macOS. Even large organizations such as Google and Microsoft were impacted when their cloud products could no longer validate certificate chains from Let's Encrypt, Helme noted. A similar expiration of an AddTrust CA in May 2020 caused outages at a variety of organizations, including, Stripe Roku, and Spreedly, he he wrote in a separate post.
Overall, the recent expiration of Let's Encrypt's IdenTrust DST Root CA X3 root CA caused less disruption than expected, yet the event underscored a familiar issue: the complexity and fragility of oft-forgotten TLS/PKI systems, according to Helme.
Here are six key takeaways from root certificate expirations, such as the one from Let's Encrypt last month.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024