Millions of websites face 'insecure' warnings

  • Published
Man behind computer codeImage source, Getty Images
Image caption,

Companies need to set themselves reminders to update digital certificates, say experts

Some well-known websites could stop functioning properly on Wednesday, 4 March, after a bug was found in the digital certificates used to secure them.

The organisation that issues the certificates revealed that three million need to be immediately revoked.

Visitors to affected sites will be greeted with an alert warning them the site is insecure.

One expert said the issue could result in a "loss of trust".

The internet security research group (ISRG) is the non-profit organisation behind the project, Let's Encrypt, and last month celebrated issuing its billionth certificate.

The project has some high-profile backers, including Cisco, Facebook and Google, and is widely credited as one of the driving forces behind businesses securing their websites.

In a notification email to its clients, the organisation said: "We recently discovered a bug in the Let's Encrypt certificate authority code.

"Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you'll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologise for the issue."

'Unacceptable'

Digital certificates are basically small pieces of code created by using sophisticated mathematics that ensure that communication between devices or websites are sent in an encrypted manner, and are therefore secure.

They play an essential role in keeping IT infrastructure up and running safely and are issued by certificate authorities, who electronically verify that the certificates are genuine. When issued, these certificates are given an expiration date of anything between a few months and several years.

Visitors to those websites not able to renew their certificate by this date will see security warnings telling them that the site is insecure.

On a community forum, one website manager, based in New Zealand, complained he had only received "75 minutes" notice of the need to update, which he said was "unacceptable".

Alan Woodward, a professor of computer science at Surrey University, told the BBC: "Let's Encrypt is a significant part of the security infrastructure of the web."

He said that while it had "responsibly" revealed the bug, its clients faced uncertainty.

"Nobody knows how they will deal with it. Businesses will have to apply for a new certificate so there could be an interruption to services which will result in a loss of trust. Users will experience websites that say they have a security problem."

While the organisation has issued a list of the certificate numbers, it has not made public the names behind them but Prof Woodward said it would probably affect "well-known" websites.