Non-commercial certification authority , controlled by the community and providing certificates for free to everyone, on the introduction of a new scheme for confirming the authority to obtain a certificate for a domain. The server hosting the "/.well-known/acme-challenge/" directory used in the check will now be accessed using several HTTP requests sent from 4 different IP addresses located in different data centers and belonging to different autonomous systems. The check is considered successful only if at least 3 out of 4 requests from different IPs were successful.
Checking from several subnets will minimize the risks of obtaining certificates for foreign domains by carrying out targeted attacks that redirect traffic through substitution of fictitious routes using BGP. When using a multi-site inspection system, an attacker will need to simultaneously achieve route redirection for several provider autonomous systems with different uplinks, which is much more difficult than redirecting a single route. Sending requests from different IPs will also increase the reliability of the check if single Let's Encrypt hosts are included in the block lists (for example, in the Russian Federation, some letsencrypt.org IPs were blocked by Roskomnadzor).
Until June 1, there will be a transitional period that allows the generation of certificates upon successful verification from the primary data center, if the host is unavailable from other subnets (for example, this can happen if the host administrator on the firewall allowed requests only from the main Let's Encrypt data center or due to zone synchronization violations in DNS). Based on the logs, a white list will be prepared for domains that have problems with verification from 3 additional data centers. Only domains with completed contact details will be included in the whitelist. If the domain is not automatically included in the whitelist, an application for placement can also be sent via .
The Let's Encrypt project has currently issued 113 million certificates covering about 190 million domains (150 million domains were covered a year ago and 61 million two years ago). According to Firefox Telemetry statistics, the global share of HTTPS page requests is 81% (77% a year ago, 69% two years ago), and 91% in the US.
Additionally, it can be noted Apple
Stop trusting certificates in Safari that have a lifetime of more than 398 days (13 months). The restriction is planned to be introduced only for certificates issued starting from September 1, 2020. For long-term certificates received prior to September 1st, trust will be maintained, but limited to 825 days (2.2 years).
The change may have a negative impact on the business of certification centers that sell cheap certificates with a long validity period of up to 5 years. According to Apple, the generation of such certificates creates additional security risks, hinders the rapid implementation of new crypto-standards, and allows attackers to control the victim’s traffic for a long time or use it for phishing in the event of an imperceptible leak of the certificate as a result of a hack.
Source: opennet.ru