Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Monday September 19 2016, @08:26PM   Printer-friendly
from the let's-rename dept.

Popular Bash shell script LetsEncrypt.sh, which is used to manage free SSL/TLS certificates from the Let's Encrypt project, has renamed this week to avoid a trademark row. This comes in the wake of Let's Encrypt successfully fending off Comodo, which tried to cynically snatch "Let's Encrypt" for itself.

LetsEncrypt.sh, written by Germany-based Lukas Schauer, is now known as Dehydrated. If you have scripts or apps that rely on pulling in his code and running it, they may stop working as a result of the name change. Dehydrated is developed independently by Schauer and is not officially affiliated with Let's Encrypt.

"This project was renamed from letsencrypt.sh because the original name was violating Let's Encrypt's trademark policy. I know that this results in quite a lot of installations failing but I didn't have a choice," reads the new Dehydrated README.

[...] Full disclosure: This article's author uses Let's Encrypt to provide HTTPS encryption for his personal websites. And you should use it too.

Our Previous Story: 800-Pound Comodo Tries to Trademark Upstart Rival's "Let's Encrypt" Name


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Funny) by jmorris on Monday September 19 2016, @09:21PM

    by jmorris (4844) on Monday September 19 2016, @09:21PM (#403983)

    The entire Internet is menaced with the threat that is Let's Encrypt until browsers either remove the secure icon when displaying content behind one of their certs, displays an entirely different icon or simply rejects the certs entirely by dropping their root.

    Normal certs aren't exactly high security these days, but they can at least be tracked back to the credit card used to buy them. Let's Encrypt hands them out for free to anyone with zero validation. Why isn't this seen as an attack on the entire SSL concept?

    Now lets consider the gigawatt hours of wasted electricity used to encrypt content that absolutely, positively does not require any such protection. Now consider the wasted bandwidth because SSL Everything breaks all attempts to cache content. All because of an irrational panic.

    Grow the f*ck up people, if the [powers that be in your country] want your porn browsing history they will get it from the source, not by tapping the link. Your ISP can be a problem, but half the effort and expense put into this mindless encryption would have beat them into submission.

    Starting Score:    1  point
    Moderation   +2  
       Funny=2, Total=2
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Monday September 19 2016, @09:45PM

    by Anonymous Coward on Monday September 19 2016, @09:45PM (#403991)

    You have a point about the security icon, but I would contend that there is no content that does not require such protection. Anything, however innocuous, could be tampered with and changed into something else.

    • (Score: 2) by maxwell demon on Monday September 19 2016, @10:16PM

      by maxwell demon (1608) on Monday September 19 2016, @10:16PM (#404007) Journal

      That problem could be solved with signing, which requires less resources than encryption, and doesn't prevent caching. However I've never heard of an HTTP variant that supports signing without encryption.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 0) by Anonymous Coward on Tuesday September 20 2016, @12:34AM

      by Anonymous Coward on Tuesday September 20 2016, @12:34AM (#404055)

      I really don't care if someone hacks my information-only website, it's for my small consulting company. The site exists to inform the curious about what we do, and gives our phone number and an info@... email for someone that is actually interested in using our services. We only work business-to-business and nearly all of our business is generated by personal contact, or by referral. We tend to have one or two big customers and keep them for many years. I think we might have picked up one small job through the website in the last ~15 years.

      The only reason we have a website at all is because one of my younger guys insisted that we have one, his comment was,"You don't have a company if you don't have a website." On the plus side, it saved a little on printing costs, we don't hand out brochures anymore at trade shows--that is the info that is on the website. And if it got hacked, we'd probably notice in a day or two and reload it from offline backup. No big deal.

      • (Score: 0) by Anonymous Coward on Tuesday September 20 2016, @01:14AM

        by Anonymous Coward on Tuesday September 20 2016, @01:14AM (#404061)

        One thing I did with my website is set up a cron job that pulls a couple of pages, makes sure they are a 200 response, compares hashes to known good, and emails if there is a problem. This prevents different attacks from succeeding for long and has caught a hijacking before the hosting company noticed at all and alerted me to a few attacks at the same time I get the email from the hosting company. And yes, after the third one, we got a different host.

      • (Score: 0) by Anonymous Coward on Tuesday September 20 2016, @07:26AM

        by Anonymous Coward on Tuesday September 20 2016, @07:26AM (#404146)

        Injecting 0-day exploits to your clients. Sounds pretty useful to me.

  • (Score: 5, Insightful) by Thexalon on Monday September 19 2016, @09:48PM

    by Thexalon (636) on Monday September 19 2016, @09:48PM (#403993)

    Normal certs aren't exactly high security these days, but they can at least be tracked back to the credit card used to buy them. Let's Encrypt hands them out for free to anyone with zero validation. Why isn't this seen as an attack on the entire SSL concept?

    1. The credit card information isn't something you as the general public know, you'd have to politely ask the fly-by-night certificate authority reseller for it. And then hope that it isn't stolen and gives you a trail back to a harmless little old lady or something, because we know that somebody shady enough that you'd want to trace them would never think to do that. If you need to trace a bad guy or something, wouldn't you have at least as much luck finding them out via their domain name registrar or hosting provider?

    2. The validation that Let's Encrypt does for a domain is identical to the validation that a basic SSL certificate does, it's just done in an automated fashion. That validation amounts to "stick a file on your webserver, access the website using the domain, if that file is there as expected then you're good to go". You seem to be assuming that it's somehow more secure if money changes hands, when that doesn't do anything except validate that somebody has a credit card with at least $25 or so available on its credit limit.

    3. The basic level of SSL only provides two things (1) Some approximate proof that when you're reaching what you think is example.com, it's really example.com and not a MITM proxy, and (2) protection against anybody who isn't the NSA easily reading the data. That's it. That's all it's ever done. Why not give people the tools to do that cheaply and easily? What advantage is there to anyone other than certificate resellers to making everybody who wants to do that pay some gatekeeper?

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 2) by DannyB on Tuesday September 20 2016, @06:01PM

      by DannyB (5839) Subscriber Badge on Tuesday September 20 2016, @06:01PM (#404371) Journal

      I hope nobody would be suggesting that if I encounter a google.com certificate issued by Honest Achmed's Certificate Authority of Tehran Iran, that I should not trust it?

      Wouldn't that be profiling? Or not trusting all Certificate Authorities equally?

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by meustrus on Tuesday September 20 2016, @09:07PM

        by meustrus (4961) on Tuesday September 20 2016, @09:07PM (#404482)

        Well Thexalon certainly didn't suggest that. If you don't trust certain CAs, well that's a different problem. A problem that once again is not made worse by Let's Encrypt.

        --
        If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
  • (Score: 4, Insightful) by edIII on Monday September 19 2016, @10:15PM

    by edIII (791) on Monday September 19 2016, @10:15PM (#404006)

    The entire Internet is menaced with the threat that is Let's Encrypt until browsers either remove the secure icon when displaying content behind one of their certs, displays an entirely different icon or simply rejects the certs entirely by dropping their root.

    Uhhhh, what? You may need to explain that a heck of a lot more. Quite frankly, it sounds like my warning about the squirrels taking over the planet; Lacking evidence (for now).

    Normal certs aren't exactly high security these days, but they can at least be tracked back to the credit card used to buy them. Let's Encrypt hands them out for free to anyone with zero validation. Why isn't this seen as an attack on the entire SSL concept?

    I think it's not seen as an attack, because it isn't? What you're talking about are different levels of verification, and the absence of the higher levels does not remove the utility of the lower ones.

    Zero validation is just patently false, as it does perform domain name control validation. I guess that acme/well-known stuff counts as zero validation huh?

    Soylent's SSL cert isn't that high either (Organization verification missing), so why should it escape the fire as you suggest? Purely because they paid Gandi hosting to do it?

    Furthermore, Lets Encrypt could offer a paid service to provide organizational validity to certs. In any case, credit cards are not that strongly identifying anymore. I can get a throw-away card fairly easily, and you seem to be demanding that no SSL ever be free by design. That's nonsensical and baseless. The differing levels of validation can be performed in the complete absence of a service fee.

    Now lets consider the gigawatt hours of wasted electricity used to encrypt content that absolutely, positively does not require any such protection. Now consider the wasted bandwidth because SSL Everything breaks all attempts to cache content. All because of an irrational panic.

    Give an example of what does need protection, and then justify why it can't receive protection nonetheless purely out of desire for privacy.

    Wasted is your connotation, not the rest of the world's. In fact, the majority of us possess a quite sophisticated understanding of the value of privacy, and anonymity, in the context of information theory around here. So put on your big boy pants if you want to start making claims about whether or not privacy is ethical, moral, and/or provides any levels of security.

    Grow the f*ck up people, if the [powers that be in your country] want your porn browsing history they will get it from the source, not by tapping the link. Your ISP can be a problem, but half the effort and expense put into this mindless encryption would have beat them into submission.

    Ahhhh, the truth of your intentions revealed. You're not anti LE, but anti-encryption period. By "grow up" you make a half-assed moral judgement. You deride the rest of us for desiring privacy in the first place, as government has the ability to violate it seemingly making the just desire for privacy pointless.

    You propose "might makes right" here, and then say it that the resources gained back from not encrypting anything would lead us to fight the ISPs for unexplained reasons. What are they?

    If you're going to shill for the mass surveillance state, you should try a heck of a lot harder at it. I sincerely doubt anyone is buying your hyperbole about how we don't need to protect our privacy. Not everything is porn, and even porn, can have terrible social consequences because we do live with judgmental assholes that use fear to govern their lives.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 2) by jmorris on Tuesday September 20 2016, @01:50AM

      by jmorris (4844) on Tuesday September 20 2016, @01:50AM (#404072)

      SSL protection should generally be reserved for sites that have paid one of the certificate issuers to do some basic level of due diligence to assure those connecting that the site is who it says it is. That was the design goal of the whole project. That was the business case for their existence, not just collecting $9.95/yr for no obvious reason.

      If somebody feels the need to just be protected from MitM attacks, there have been efforts to place keys into DNS, those efforts should be revived and put into widespread use.

      Signed pages vs encrypted have many advantages. The signatures on page elements can be precalculated and they can be cached in squid caches on network edges. If done in the http headers even images (i.e. ads) can be protected as well as text. It is now up to the critics to explain what advantage full encryption carries over signing. There are obviously exceptions. Any transaction involving a password should be protected. Sending credit cards and such should be protected, banking and other finance.

      For example, let us use soylent as an example. Logging in should be protected. Pageviews really don't have to be protected but comment submission would need to either encrypt or use another method to assure identity, same for account editing. Everything is being posted for full public view, encrypting it in transit on a per session/view basis is pointless and a waste of resources. Signing pages would prevent ISPs and others from playing content insertion games and is all that is needed.

      I'd much rather see email encrypted by default than my activity at dilbert.com. Just knowing I connected to that domain is enough to tell the story, same for pornhub. Intelligence gets almost as much from crude traffic analysis as they do from a detailed trawl of the text of every page and only a full paranoid solution like tor even addresses that issue.

      • (Score: 5, Insightful) by The Mighty Buzzard on Tuesday September 20 2016, @02:14AM

        by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday September 20 2016, @02:14AM (#404081) Homepage Journal

        Privacy and security are not something you should save for when you really need it. Nobody should ever know what you are up to unless you tell them or they show up with a warrant. Good fences make good neighbors.

        --
        My rights don't end where your fear begins.
      • (Score: 2) by Thexalon on Tuesday September 20 2016, @12:01PM

        by Thexalon (636) on Tuesday September 20 2016, @12:01PM (#404191)

        So let's say we did what you asked, and did an SSL connection to send in passwords to Soylent, and left everything else unencrypted. If we implement your plan, then part of what's unencrypted is your session cookie. Which means that now, anybody who intercepts that session cookie can for the next several hours pretend to be you, change your password, and lock you out of your own account.

        Or let's say you're working on a site with some sort of nice WYSIWYG editor, and you accidentally paste in sensitive information from another window. Even if you deleted it, you've just put that out on the open wire, where it can be intercepted. Hope it wasn't something important like your SSN or bank account!

        --
        The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: -1, Flamebait) by Anonymous Coward on Tuesday September 20 2016, @02:40AM

      by Anonymous Coward on Tuesday September 20 2016, @02:40AM (#404089)

      Dickwads like you who cry "shill" against anyone with a different viewpoint are very tiresome. Don't be so fucking arrogant to think you have claimed the high moral ground. Fucktards like you need to grow up and get some perspective. You're the fucking reason civil discourse is in the shitter and we're stuck in the political morass that we're in; asswipes like you can't look past your self-inflated egos to see that other points of view exist in the world that are not of your making.

      • (Score: 2) by edIII on Tuesday September 20 2016, @03:47AM

        by edIII (791) on Tuesday September 20 2016, @03:47AM (#404114)

        Don't be so fucking arrogant to think you have claimed the high moral ground.

        You mean that ground based on the Constitution of the United States Of America, the principles of freedom, the principles of anonymity, the principles of privacy, the vision granted by Game Theory and Big Data, the view of privacy as a human right and not a sense of entitlement?

        Yeah. I don't have a solid foundation at all....... ;P

        --
        Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2) by VanessaE on Tuesday September 20 2016, @12:14PM

        by VanessaE (3396) <vanessa.e.dannenberg@gmail.com> on Tuesday September 20 2016, @12:14PM (#404195) Journal

        > You're the fucking reason civil discourse is in the shitter [...]

        Says the guy whose post is littered with insults and expletives instead of rational argument.

  • (Score: 0) by Anonymous Coward on Monday September 19 2016, @11:18PM

    by Anonymous Coward on Monday September 19 2016, @11:18PM (#404031)

    Please move to North Korea. You'll like it there.

  • (Score: 0) by Anonymous Coward on Monday September 19 2016, @11:26PM

    by Anonymous Coward on Monday September 19 2016, @11:26PM (#404034)

    Grow the f*ck up people, if the [powers that be in your country] want your porn browsing history they will get it from the source, not by tapping the link.

    As many things as possible should be encrypted to help cover those who need encryption the most. Not everything is about you, and that's a selfish viewpoint. You seem to be using a straw man against privacy advocates by making it seem as if they're saying that it's highly probable that they as individuals are being or could be specifically targeted by the government, when in reality they tend to be more worried about activists, journalists, political opponents, lawyers, whistleblowers, etc.

    I don't know how much Let's Encrypt will help with this in practice, but the point I quoted is just silly.

  • (Score: 5, Insightful) by butthurt on Tuesday September 20 2016, @02:02AM

    by butthurt (6141) on Tuesday September 20 2016, @02:02AM (#404077) Journal

    > Let's Encrypt hands them out for free to anyone with zero validation.

    Not zero: they require an e-mail address, or so I've heard.

    > Why isn't this seen as an attack on the entire SSL concept?

    Will Let’s Encrypt issue Organization Validation (OV) or Extended Validation (EV) certificates?

    We have no plans to issue OV or EV certificates.

    --https://letsencrypt.org/docs/faq/ [letsencrypt.org]

    My browser makes the distinction; yours probably does, too.

    > Grow the f*ck up people, if the [powers that be in your country] want your porn browsing history they will get it from the source, not by tapping the link.

    In the USA they tap the link.

    https://en.wikipedia.org/wiki/Room_641A [wikipedia.org]
    http://www.matthewaid.com/post/58904880659/nsa-surveillance-programs-cover-75-of-internet [matthewaid.com]

    > Your ISP can be a problem, but half the effort and expense put into this mindless encryption would have beat them into submission.

    Some of the people who criticised or publicised the U.S. surveillance apparatus have met with significant retaliation.

    https://en.wikipedia.org/wiki/William_Binney_%28U.S._intelligence_official%29 [wikipedia.org]
    https://en.wikipedia.org/wiki/Thomas_Andrews_Drake [wikipedia.org]
    https://en.wikipedia.org/wiki/Edward_Snowden [wikipedia.org]
    https://en.wikipedia.org/wiki/Russ_Tice [wikipedia.org]
    https://en.wikipedia.org/wiki/Thomas_Tamm [wikipedia.org]

    I wouldn't say their efforts have succeeded in ending co-operation between spooks and ISPs. Even if that happens, the effort and expense put into Let's Encrypt may not be wasted: it's not only governments that wish to spy upon Web users, but private criminals and (as noted by others in this topic) advertisers.

    On Dec. 24, 2004, TTNet sent out a full table of Internet routes via BGP that routed most Internet traffic through Turkey for several hours that morning.
    [...]
    In August 2008, two security researchers demonstrated at DEFCON how an attacker could eavesdrop or change a company's unencrypted data by exploiting BGP. The attacker would reroute all of the company's traffic through their own network and then send it to its destination without the owner's knowledge.

    --http://www.pcworld.com/article/157905/net_routing_nightmares.html [pcworld.com]

    The Internet is a big place; when you use HTTP you choose to trust organisations in various countries. If you want your browsing habits to be public, you are of course free to inform the world of them (set up a proxy, turn on logging, and put the logs online). If you disapprove of SSL you do have the option of avoiding sites that require it (thank you, though, for supporting soylentnews.org).

  • (Score: 0) by Anonymous Coward on Tuesday September 20 2016, @03:20AM

    by Anonymous Coward on Tuesday September 20 2016, @03:20AM (#404105)

    HTTPS should be required, and it should be free. There are state sponsored and other man-in-the-middle attacks that compromise security and can enable DDoS attacks by injecting JavaScript in clear HTTP streams. Ideally, DNSSEC would store the CA for the domain instead of the browser's CA store, but a free CA is a second best option.

    There is already a different icon for certificates that contain identity information, so the credit card thing is irrelevant.

  • (Score: 0) by Anonymous Coward on Tuesday September 20 2016, @05:18PM

    by Anonymous Coward on Tuesday September 20 2016, @05:18PM (#404338)

    This post is yet more proof that racism and idiocy go hand in hand.
    Even when he's not talking about race he's still really fucking stupid.