SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Let's Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.
However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.
[...] "Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site," said Asif Karel, director of product management at Qualys.
[...] "Let's Encrypt can absolutely be abused," said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt. "But so can't any other certificate authority. People act like Let's Encrypt is the first CA to be abused. This is preposterous."
[...] Jett and others applaud the accomplishments of Let's Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals.
Source: https://threatpost.com/free-certs-come-with-a-cost/126861/
(Score: 2) by kaszz on Thursday July 20 2017, @03:35PM (2 children)
My idea is more like this:
A --> B --> C --> D
C --> A
E --> C --> F --> D
And so on. And not government "A". It would anyway be treated like any other node and not given any special privileges.
(Score: 2) by JNCF on Thursday July 20 2017, @04:13PM (1 child)
Each additional parent certificate in the chain is a potential point of failure. If a user simply trusts C, we only have 1 point of failure (speculation about blockchains imploding aside). Either that specific name/key is compromised, or we're golden. My point about governments is just that they can forcefully take the keys of any entity they've identified in their territory, so having a potential point of failure in those boundaries opens you up to all the shenanigans that TLAs can currently play with HTTPS -- potential points of failure aren't ok just because you actually trust them, anybody could be compromised at any time. I got that you weren't proposing government involvement. There are certainly times when a web of trust seems more reasonable than a blockchain, but I don't know if global domain and public key registration are one of them.
(Score: 2) by kaszz on Thursday July 20 2017, @04:24PM
Of course this scheme would require people to have trustees outside of one territory. Preferably at least one in each power region.