SoylentNews is people
SoylentNews
from the start-the-source-review-in-3....2....1..... dept.
EFF's "Let's Encrypt" Enters Public Beta
As of today, invitations are no longer needed to get a free certificated signed by the EFF's Let's Encrypt CA.
The user guide explains several options for the process, ranging from automatically setting up SSL for Apache or Nginx (support for Nginx is still experimental), to a manual process for those who would rather not run the installer as root.
Let's Encrypt CA issues short lived certificates (90 days), which shouldn't be a problem with a sufficiently automated renewal process. It looks like wildcard certificates won't be issued anytime soon (if at all), but you can get certificates that are good for multiple subdomains.
"Let's Encrypt" Project Enters Public Beta
The Electronic Frontier Foundation and Mozilla-backed Let's Encrypt certificate authority has now entered Public Beta:
So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now. If you have any questions, you can get answers on community.letsencrypt.org.
We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.
A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.
The Register reports:
The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.
Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.
Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.
[...] Full documentation is here and a quick start guide is here.
(Score: 3, Informative) by edIII on Thursday December 03 2015, @10:17PM
Trust? Never trust anyone beyond what your security protocols allow.
Security is provided in layers. A free CA, is better than no CA any day. I think what people objected to (I do), are the hundreds of dollars that CAs demand for a certificate, and never actually deliver all of that value. If Let's Encrypt gets hacked (which it probably will at some point) then the readily apparent saving grace was that it was free. A good deal of the major CAs have all been hacked in recent memory, and are on the defensive as much as any enterprise. The biggest and most secure CA (or CA-like) corporation got pwned; RSA, The principles of which that invented modern encryption protocols. Not easily either. A large amount of brain power (state sponsored brain power) was used to analyze the RSA attack for vulnerabilities. So it's going to extremely difficult to convince me that any corporation is effectively immune to attacks.
The real question is do you want to trust random people in Group A asking you for hundreds of dollars, of random people in Group B who ask for none and openly state they only wish for you to be secure? Considering the groups of people and talent behind the Let's Encrypt people, I'm going to believe they can provide me at least the same level of security as Comodo, NameCheap, etc. All for free too, which may actually allow small businesses to become protected.
Other than the primary web presence, most of my clients in the last 20 years have declined to spend hundreds of dollars to remove the "nuisance/nagware" messages coming from their web browsers. I literally had a client tell me, "You're crazy if you think I'm spending $500 to get rid of some nag messages on Firefox". I've spent a huge amount of time deliberately weakening security by allowing "untrusted" and self-signed security certs in various platforms. Anything with a trusted cert is usually provided by SaaS vendors and not in-house. Anything that I've protected lately has simply been because I can do it for $10 per year and I set it up without the client's knowledge, or my attempt to sell something they don't believe is worth it.
Regardless of how trustworthy you feel they are, unless you directly accuse them of being criminals, it's rather foolish to deny their offer of a CA for all of your systems and unprotected client systems for free. Have you gone through all of the steps, time, effort, and great skill to setup your own CA? I doubt it. I'm considering an in-house CA for a protected internal network, and it's not a trivial pursuit by any means.
Let's Encrypt is a really simple proposition: Let's Encrypt everything. I agree.
Technically, lunchtime is at any moment. It's just a wave function.