Free and open Certificate Authority (CA) Let’s Encrypt today started the process of completely retiring TLS-SNI-01 validation support.
Let’s Encrypt decided last year that it would disable support for the TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own. The problem, the CA revealed at the time, was the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure.
Although the issue wasn’t related to the certificate authority itself, but instead the result of a combination of factors, Let’s Encrypt decided that disabling support for the validation method was the best way to handle the situation at the time.
In October last year, however, the CA announced that it was ready to take its mitigation efforts to the next step by completely removing support for TLS-SNI-01 validation on February 13, 2019.
Starting today, the CA is disabling the TLS-SNI-01 method in staging, allowing users to test the change and check whether the TLS-SNI-01 retirement will affect them in any way.
“To help people test their clients ahead of the deprecation date, we’re going to disable the TLS-SNI-01 method in staging on 2019-01-22 (this Tuesday). Once that’s live we’ll post an update here, and you’ll be able to run certbot renew –dry-run, which will do a test against staging. If the dry run succeeds, you’ll know that you’re ready for the deprecation date,” Let’s Encrypt’s Jacob Hoffman-Andrews notes.
Certbot users have already received emails informing them on the planned retirement of the TLS-SNI-01 validation. Details on how to stop using the domain validation method have been published on Let’s Encrypt’s community page.
Let’s Encrypt users currently have three other validation methods at their disposal, namely “DNS-01”, “HTTP-01” (which has been available alongside TLS-SNI-01 right from the start), and “TLS-ALPN-01” (which was introduced last year).
Related: Let’s Encrypt Now Trusted by All Major Root Programs
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
