Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday October 20 2015, @11:24PM   Printer-friendly
from the its-safe-to-say dept.

Let's encrypt, the free SSL CA has achieved a significant milestone. From their press release:

We're pleased to announce that we've received cross-signatures from IdenTrust, which means that our certificates are now trusted by all major browsers. This is a significant milestone since it means that visitors to websites using Let's Encrypt certificates can enjoy a secure browsing experience with no special configuration required. Both Let's Encrypt intermediate certificates, Let's Encrypt Authority X1 and Let's Encrypt Authority X2, received cross-signatures. Web servers will need to be configured to serve the appropriate cross-signature certificate as part of the trust chain. The Let's Encrypt client will handle this automatically.

You can see an example of a server using a Let's Encrypt certificate under a new cross-signed intermedate here.

Vital personal and business information is flowing over the Internet more frequently than ever, and it's time to encrypt all of it. That's why we created Let's Encrypt, and we're excited to be one big step closer to bringing secure connections to every corner of the Web.

This is hopefully a good step in the direction of an encrypted web!


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Non Sequor on Wednesday October 21 2015, @01:48AM

    by Non Sequor (1005) on Wednesday October 21 2015, @01:48AM (#252563) Journal

    The purpose of a certificate authority is to do two things:

    (1)Do some level of identity checking so that if the certificate claims to be associated with legal entity X, either it came from entity X, or someone has submitted some falsified information that can be used as evidence of fraud at trial.
    (2)Be present to clean up the mess if 1 doesn't go as planned.

    Per section 3.2 of the Certificate Policy for Let's Encrypt (https://letsencrypt.org/documents/ISRG-CP-September-9-2015.pdf), all of the criteria for initial identification are either based on punting to a domain name registrar or demonstrating control over a domain. Browsing through some of the certificates Let's Encrypt has issued I can see that they only identify a domain name and don't include any other details on the subject of the certificate.

    Meanwhile, going to a variety of major web sites, I see certificates that identify the company and a geographical location that they registered from.

    Speaking of which, if I click the lock icon by soylentnews.org, I don't see anything that ties to Soylent News as an incorporated entity. There's no difference to me between this certificate and using Diffie-Hellman to communicate on unauthenticated basis. If the lock by a website is supposed to mean that I can trust the connection exactly as much as I trust the end point (give or take a few points), why are these certificates any good? Why is founding Let's Encrypt a better idea than just adding unauthenticated Diffie-Hellman to the HTTP spec?

    --
    Write your congressman. Tell him he sucks.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2, Informative) by Anonymous Coward on Wednesday October 21 2015, @04:23AM

    by Anonymous Coward on Wednesday October 21 2015, @04:23AM (#252603)

    There's currently three discrete levels of identification offered by TLS certificates in present usage. The lowest level is self-signed, which ensures only that your entire session is with the same party (could in theory be used to ensure all future sessions are with the same party, but no implementation in common use does that does). Next is a normal certificate, which verifies the connection is to the owner of the domain and therefore defends against man-in-the-middle attacks. Last is EV ("extended validation") certificates which do what you hope certificates would actually do; they show the company name as you've seen on some websites and therefore protect against typo/phishing attacks if the user is paying attention. My understanding of the history is that certificates originally were supposed to all be as well verified as the last type but over time verification standards decreased to the second type and EV certificates were eventually introduced. Let's Encrypt is only about the second type, which only verifies domain ownership which is already done in an automated fashion by other providers of certificates. They are just creating a free and simple process for generating those certificates.

    • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @07:13AM

      by Anonymous Coward on Wednesday October 21 2015, @07:13AM (#252622)

      Nobody checks those Extended Validation certificates, though. So just like the regular one only certifies that you are actually connected to badguys.com, the EV one only certifies that you really are doing business with Bad Guys inc.

      Plus, neither handles the case where Good Guys ltd goes bankrupt, and gets legally sold to Bad Guys inc, something that happens all the time.

  • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @09:46AM

    by Anonymous Coward on Wednesday October 21 2015, @09:46AM (#252652)

    That actually makes a heap of sense.

    Get rid of HTTP altogether.

    Show the unlocked padlock for self signed over HTTPS, but stop complaining about errors.

    Show normal secure padlock icons for real certs.

    • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @01:59PM

      by Anonymous Coward on Wednesday October 21 2015, @01:59PM (#252731)

      This suggestion seems to appear on pretty much every thread about HTTPS, and I don't understand why it's not done. It's called opportunistic encryption [wikipedia.org]. HTTP/2 included some proposals for it, including one that Firefox implemented for a time... but it had a bug that allowed padlock sites to also bypass the certificate check. And for some reason, their fix for the bug was to remove the feature entirely (a reasonable first step...) and then apparently forget about the feature altogether.

      • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @05:03PM

        by Anonymous Coward on Wednesday October 21 2015, @05:03PM (#252835)

        They already got the press credit for adding the feature. What glory is there in tracing down a complicated but like that compared to doing another highly visible change?