Stories
Slash Boxes
Comments

SoylentNews is people

Free Certs Come With a Cost

posted by mrpg on Thursday July 20 2017, @04:20AM   Printer-friendly
from the green-padlock dept.

MrPlow writes:

Submitted via IRC for Bytram

Let's Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.

However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.

[...] "Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site," said Asif Karel, director of product management at Qualys.

[...] "Let's Encrypt can absolutely be abused," said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt. "But so can't any other certificate authority. People act like Let's Encrypt is the first CA to be abused. This is preposterous."

[...] Jett and others applaud the accomplishments of Let's Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals.

Source: https://threatpost.com/free-certs-come-with-a-cost/126861/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Free Certs Come With a Cost | Log In/Create an Account | Top | 70 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by Revek on Thursday July 20 2017, @01:50PM (2 children)

    by Revek (5022) on Thursday July 20 2017, @01:50PM (#541906)

    Cheated like blacksmiths got cheated out of revenue when the horseless carriage came along? Or arcades got cheated out of revenue when the home game console came along? That argument is the weakest of all arguments concerning CA issuers. The real truth is that the for profit CA authorities are gouging money from their customers and not providing one thing extra. Lets encrypt has just shined a light on it. No ones getting cheated.

    --
    This page was generated by a Swarm of Roaming Elephants

  • (Score: 3, Informative) by Pino P on Thursday July 20 2017, @02:53PM

    by Pino P (4721) on Thursday July 20 2017, @02:53PM (#541921) Journal

    The real truth is that the for profit CA authorities are gouging money from their customers and not providing one thing extra.

    Unlike Let's Encrypt, which offers only domain-validated (DV) certificates, for-profit CAs offer organization-validated (OV) and Extended Validation certificates. This affects users of browsers and search engines that treat OV certificates differently from DV certificates:

    SiteTruth
    The SiteTruth service [sitetruth.com] that assigns one of four levels of trust to each ad's target, from lowest to highest being "do not enter: commercial site that hasn't published an identifiable Latin-script address", "non-commercial site", "commercial site that has published an address and has a DV certificate", and "commercial site that has published an address and has a OV or EV certificate or a Better Business Bureau seal". There used to be a web search engine that displayed the trust level for each site; now all I can find is an "Ad Limiter" extension for Chrome that hides all ads on each search result page except the one for the most trustworthy business.
    Comodo Dragon and IceDragon browsers
    Comodo publishes rebranded versions of Chromium and Firefox that try to make domain-validated certificates conspicuous. In various versions, this has ranged from an interstitial similar to that for self-signed certificates [netcraft.com] to a lock with a triangle (the same icon used for mixed content). Only a CA's claim of a subject's real-world identity (that is, an OV or stronger cert) shuts up Dragon.

  • (Score: 3, Informative) by Grishnakh on Thursday July 20 2017, @03:14PM

    by Grishnakh (2831) on Thursday July 20 2017, @03:14PM (#541928)

    Whoosh! (I think) The OP was being sarcastic in case you didn't realize.

    But no, it's not really like the blacksmiths and horseless carriages, because both cost money and one does a substantially different job than the other. It's more like free software vs. proprietary software: Microsoft is being cheated out of revenue every time someone installs Linux instead of purchasing a Windows license, and Adobe is being cheated out of revenue every time someone uses The GIMP or Krita, and IBM/Rational is being cheated out of revenue every time someone uses subversion or git. If you're looking for a non-software, non-computing analogy, I honestly can't think of one offhand, because I can't think of any other place where people give stuff away for free, without some kind of profit motive (like Google's "free" services, where they profit by advertising to you, or "free" cellphone apps which include ads). I suppose you could point to bottled-water companies being "cheated" of revenue when people drink tap water.