Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt Authority X1 and Let's Encrypt Authority X2 Receive Cross-Signatures

posted by janrinok on Tuesday October 20 2015, @11:24PM   Printer-friendly
from the its-safe-to-say dept.

An Anonymous Coward writes:

Let's encrypt, the free SSL CA has achieved a significant milestone. From their press release:

We're pleased to announce that we've received cross-signatures from IdenTrust, which means that our certificates are now trusted by all major browsers. This is a significant milestone since it means that visitors to websites using Let's Encrypt certificates can enjoy a secure browsing experience with no special configuration required. Both Let's Encrypt intermediate certificates, Let's Encrypt Authority X1 and Let's Encrypt Authority X2, received cross-signatures. Web servers will need to be configured to serve the appropriate cross-signature certificate as part of the trust chain. The Let's Encrypt client will handle this automatically.

You can see an example of a server using a Let's Encrypt certificate under a new cross-signed intermedate here.

Vital personal and business information is flowing over the Internet more frequently than ever, and it's time to encrypt all of it. That's why we created Let's Encrypt, and we're excited to be one big step closer to bringing secure connections to every corner of the Web.

This is hopefully a good step in the direction of an encrypted web!

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt Authority X1 and Let's Encrypt Authority X2 Receive Cross-Signatures | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by Anonymous Coward on Wednesday October 21 2015, @04:23AM

    by Anonymous Coward on Wednesday October 21 2015, @04:23AM (#252603)

    There's currently three discrete levels of identification offered by TLS certificates in present usage. The lowest level is self-signed, which ensures only that your entire session is with the same party (could in theory be used to ensure all future sessions are with the same party, but no implementation in common use does that does). Next is a normal certificate, which verifies the connection is to the owner of the domain and therefore defends against man-in-the-middle attacks. Last is EV ("extended validation") certificates which do what you hope certificates would actually do; they show the company name as you've seen on some websites and therefore protect against typo/phishing attacks if the user is paying attention. My understanding of the history is that certificates originally were supposed to all be as well verified as the last type but over time verification standards decreased to the second type and EV certificates were eventually introduced. Let's Encrypt is only about the second type, which only verifies domain ownership which is already done in an automated fashion by other providers of certificates. They are just creating a free and simple process for generating those certificates.

    Starting Score:    0  points
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Wednesday October 21 2015, @07:13AM

    by Anonymous Coward on Wednesday October 21 2015, @07:13AM (#252622)

    Nobody checks those Extended Validation certificates, though. So just like the regular one only certifies that you are actually connected to badguys.com, the EV one only certifies that you really are doing business with Bad Guys inc.

    Plus, neither handles the case where Good Guys ltd goes bankrupt, and gets legally sold to Bad Guys inc, something that happens all the time.