Stories
Slash Boxes
Comments

SoylentNews is people

Free Certs Come With a Cost

posted by mrpg on Thursday July 20 2017, @04:20AM   Printer-friendly
from the green-padlock dept.

MrPlow writes:

Submitted via IRC for Bytram

Let's Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.

However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.

[...] "Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site," said Asif Karel, director of product management at Qualys.

[...] "Let's Encrypt can absolutely be abused," said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt. "But so can't any other certificate authority. People act like Let's Encrypt is the first CA to be abused. This is preposterous."

[...] Jett and others applaud the accomplishments of Let's Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals.

Source: https://threatpost.com/free-certs-come-with-a-cost/126861/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Free Certs Come With a Cost | Log In/Create an Account | Top | 70 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Pino P on Thursday July 20 2017, @03:12PM

    by Pino P (4721) on Thursday July 20 2017, @03:12PM (#541926) Journal

    Captive WiFi portals are quickly becoming impossible as browsers don't want to even consider making an http connection to let the captive portal have a chance to grab it.

    Since when? Last time I tried Firefox on a hotspot with a captive portal, I got a message to the effect that this connection requires users to sign in. Unfortunately, I forget the exact wording, but based on the bug list at Mozilla's page about captive portal detection [mozilla.org], it appears to be live since Firefox 52.

    And forget caching

    If you operate an ISP in a remote area with a slow and/or harshly capped upstream [codinghorror.com], you could run an internal CA on your intercepting caching proxy, and install the corresponding root certificate on all subscribers' devices. However, this may not work for devices running Android 7 or later, which ignore user-installed certificates unless an app explicitly opts into using them.

    I get it, the NSA is listening. But why do I care that they know I looked at the weather forecast?

    They care that you looked at the weather forecast for a place in the region that happens to be considered "terrorist haven" this decade.

    Bought an SSL cert lately? Other than a credit card on file somewhere to confirm the payment of the token fee, all it proves is that the person buying the cert had control of the web server for at least the brief moment the purchase occurred on.

    Unless you've set your TLS client to distrust certificates without an organization name and address.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2