Security Experts:

Let's Encrypt Exposes User Email Addresses

Server Bug Exposes Email Addresses of 7,618 Let's Encrypt Users

Thousands of Let's Encrypt users saw their email addresses being exposed this Saturday, when the open certificate authority (CA) started sending a notification to active subscribers.

Backed by the Electronic Frontier Foundation (EFF) and numerous large Internet and tech companies, Let’s Encrypt is a project aimed at bringing encryption to all areas of the Internet. It provides website owners with free certificates, in an attempt to encourage them to transition to HTTPS to ensure a secure communication between their sites and users’ browsers.

Because of a server glitch, when Let’s Encrypt started sending out emails to its users on June 11 to inform them of an update to its subscriber agreement, the automated system used for that mistakenly prepended email addresses to the body of the message. Because of this issue, recipients could see the email addresses of other subscribers.

Let's Encrypt ISRG Executive Director Josh Aas explains that the bug was discovered after 7,618 emails were sent, and that the automated system was stopped at that point. He also explains that, because the bug was discovered early, only 1.9% percent of Let’s Encrypt’s subscribers who provided an email address were impacted by the issue.

He also explained that each new message contained the addresses of all previous recipients. “Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” Aas reveals.

Given that around 383,000 users subscribed to the open CA’s newsletter, the impact of the glitch could have been much bigger. Aas also appealed to those who accidentally received the email addresses of other users not to post them publicly.

As some of the Let’s Encrypt subscribers who started discussing the issue on the CA’s community forums suggest, the culprit might be the Mandrill transactional email platform from MailChimp. The CA was using this service to send the email notifications and the glitch might have either emerged from the communication between Let’s Encrypt and Mandrill, or from the service itself.

According to Aas, the CA is currently investigating the incident and will post more details on the matter soon. “We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions,” he said.

Let’s Encrypt issued its first digital certificate in September last year and entered public beta in December. The CA shed the beta tag in early April 2016, one month after it issued its millionth certificate. In May, EFF announced that the Let's Encrypt client Certbot was launched in beta.

view counter