If your organization includes Android devices as part of its bring-your-own-device (BYOD) policy or uses embedded systems, then a recent root expiration for Let’s Encrypt digital certificates may potentially place your organization at risk. This update will cover what you need to be aware of and how this potential blind spot can impact your organization.
Since September 30, 2021, older browsers and devices that trust Let’s Encrypt certificates now experience warnings when visiting sites using said certificates, as root certificate DST Root CA X3 expired.
Learning from past incidents, for example when AddTrust External CA Root expired back in May 2021, various companies—including an online payment platform, a media streaming platform, and an enterprise software solutions provider—all suffered from outages and disruptions.
Despite early warnings about DST Root CA X3’s expiry, several large companies, including accounting software providers, ecommerce sites, and even well-known technology solutions, cloud, and cyber security providers have been reported as facing website and service issues.
This latest root certificate expiry exposes a potential blind spot in companies’ security postures, leaving them vulnerable to downtime and revenue loss. Affected companies may require additional measures to restore services for their customers, and review the incident to address any gaps.
It is widely known that Let’s Encrypt only supports its customers through documentation and community forums and doesn’t provide direct support. It also only offers domain validation certificates (DV), as opposed to organization validation (OV), or extended validation (EV) certificates. It’s been reported that DV certificates have been dispersed as part of phishing campaigns due to the low level of validation required for issuance.
Cyber security, business continuity, and disaster recovery are all at risk when companies use digital certificates issued from providers that aren’t structured to meet the needs of an enterprise. CSC recommends companies consider using a certificate authority with comprehensive security-focused capabilities and resources, industry recognition, and is backed by 24/7 technical support and trusted security experts.
We’re ready to talk
If you’d like to learn more about digital certification solutions and how automation can mitigate the challenges around reduced certificate lifespans, please complete our contact form.