SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Let's Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.
However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.
[...] "Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site," said Asif Karel, director of product management at Qualys.
[...] "Let's Encrypt can absolutely be abused," said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt. "But so can't any other certificate authority. People act like Let's Encrypt is the first CA to be abused. This is preposterous."
[...] Jett and others applaud the accomplishments of Let's Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals.
Source: https://threatpost.com/free-certs-come-with-a-cost/126861/
(Score: 2) by Pino P on Thursday July 20 2017, @03:21PM (3 children)
But can you think of a less dangerous way to present terms of use to users of bring-your-own devices and solicit a user's acceptance of said terms?
Which won't help when fans of cleartext HTTP contrive situations involving maximally cacheable responses over maximally expensive connections, such as two dozen students in the same classroom in poor sub-Saharan Africa viewing the same Wikipedia article [codinghorror.com].
Which breaks in cases of bring your own device.
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @04:19PM
Yes, they should have a dedicated protocol for presenting them. Your device connects to a network, it does its DHCP request, gets the network configured, then fires of a ICP (or whatever people decide to call it) request, the response for that includes the necessary information to pop up a dedicated window in your OS to enter credentials, once an accepted reply is received, the stack issues a new DHCP request and new ICP request, if it receives notice that it isn't required, then proceed as usual and mark the network as up.
The benefit with this is that the OS can know for sure that the network isn't up and all DNS or other requests will fail.
(Score: 2) by TheRaven on Sunday July 23 2017, @05:29PM (1 child)
Sure. Write 'by connecting to this network, you accept the terms of use' on the piece of paper that you give them with their login credentials. There is a lot more precedent for this kind of agreement having legal force than for a click-through agreement.
sudo mod me up
(Score: 2) by Pino P on Sunday July 23 2017, @10:09PM
Have you tested this policy in an actual restaurant? As I understand it, customers don't expect to have to physically stand in line for credentials. They expect to use the hotspot to pass the time while standing in line to place an order (in the case of a quick-service restaurant) or for a seat (in the case of a sit-down restaurant).