SoylentNews is people
SoylentNews
from the start-the-source-review-in-3....2....1..... dept.
EFF's "Let's Encrypt" Enters Public Beta
As of today, invitations are no longer needed to get a free certificated signed by the EFF's Let's Encrypt CA.
The user guide explains several options for the process, ranging from automatically setting up SSL for Apache or Nginx (support for Nginx is still experimental), to a manual process for those who would rather not run the installer as root.
Let's Encrypt CA issues short lived certificates (90 days), which shouldn't be a problem with a sufficiently automated renewal process. It looks like wildcard certificates won't be issued anytime soon (if at all), but you can get certificates that are good for multiple subdomains.
"Let's Encrypt" Project Enters Public Beta
The Electronic Frontier Foundation and Mozilla-backed Let's Encrypt certificate authority has now entered Public Beta:
So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now. If you have any questions, you can get answers on community.letsencrypt.org.
We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.
A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.
The Register reports:
The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.
Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.
Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.
[...] Full documentation is here and a quick start guide is here.
(Score: 2) by TheLink on Friday December 04 2015, @03:44AM
1) Hardly anyone in the business really cares that much about security[1]. All they want is some security or appearance of it, and no stupid browser warnings. LetsEncrypt potentially provides this.
2) The truth is the far bigger risk is from the site getting hacked or "compelled" and then all the data and transactions are at risk not just the your transactions.
Analogy: HTTPS/TLS are the vans transporting cash to/from the "Banks". The "Banks" are the sites you use - which could be Soylent, Google, Facebook or websites of real banks. Often it makes sense to attack the Bank than to attack the vans, especially when in most cases the vans are harder to crack than the Banks.
From what I see while it might be easier for a hostile Government to pwn your Facebook connection than pwn Facebook, it's much easier for that Gov to pwn your browser/device/computer connected to Facebook, and more likely for a hacker to pwn your bank or browser instead of MITMing your connection. And in the case of Facebook and similar, quite often a Gov can request/pay Facebook to hand over the data: https://govtrequests.facebook.com/ [facebook.com]
https://govtrequests.facebook.com/country/United%20States/2015-H1/ [facebook.com]
https://www.google.com/transparencyreport/userdatarequests/ [google.com]
https://www.google.com/transparencyreport/userdatarequests/US/ [google.com]
[1] If people really did care web browsers would have a better version of Certificate Patrol's feature - which warns users of suspicious certificate changes.
And the affected people would make a bigger fuss about this problem: http://www.proper.com/root-cert-problem/ [proper.com]
In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings. This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certification authority as untrusted unless the user turns off the Windows component that controls this feature.
Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: the user cannot mark them as untrusted. The differences between the two versions of Windows are covered in the last section.
What are the odds some entity controlled by a Gov that might be hostile or turn hostile has a cert is signed by Microsoft? To me this is a far better argument about Windows being insecure than the usual ignorant arguments that "Unix/Linux style security is better". Windows is not really easier to pwn by hackers than Linux, the problem with Windows is it is pre-pwned ;).
I believe Google Chrome on Windows uses the same cert infra as IE, Firefox doesn't. Google protects itself (its sites) with cert pinning, so tell me how much does Google actually care about user security?
(Score: 1, Informative) by Anonymous Coward on Friday December 04 2015, @09:40AM
And the vast majority of attacks will continue to be on the individual users, who have less security on their computers, and when their computer is infected with a trojan, neither HTTPS nor any security measures on the server side will be helpful; the only thing that then can still provide security is if a separate, non-compromised item is involved in the transaction.