Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday July 20 2017, @04:20AM   Printer-friendly
from the green-padlock dept.

Submitted via IRC for Bytram

Let's Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.

However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.

[...] "Unsuspecting users might think they are communicating with trustworthy sites because the identity of the site has been validated by a CA, without realizing that these are just domain validation certificates with no assurance about the identity of the organization that owns the site," said Asif Karel, director of product management at Qualys.

[...] "Let's Encrypt can absolutely be abused," said Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt. "But so can't any other certificate authority. People act like Let's Encrypt is the first CA to be abused. This is preposterous."

[...] Jett and others applaud the accomplishments of Let's Encrypt, but believe the organization, founded by Mozilla, Cisco and the Electronic Frontier Foundation, is in a unique position to take a leadership role that could be used to crack down on certificate abuse when it comes to better vetting of applicants in order to weed out criminals.

Source: https://threatpost.com/free-certs-come-with-a-cost/126861/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by kai_h on Friday July 21 2017, @09:35AM (1 child)

    by kai_h (1524) on Friday July 21 2017, @09:35AM (#542279)

    the hidden cost of free certificates is the cost of the infrastructure, required to run Let's Encrypt, which is probably not negligible.

    I don't know about that. I recently set up an nginx web server on a Ubnutu virtual machine. After getting the web server up and running, it literally took me 10 minutes to set up LetsEncrypt and create a cron job to renew my certificates on a regular basis. Done.
    This is much easier than the usual way which is to create a CSR (certificate signing request) in your web server of choice, get the CSR signed and, have a cert generated and then import this back into the web server - a task that I would otherwise only be performing once a ear at most, so would have to re-remember how to do it all over again every time the renewal comes around.

  • (Score: 2) by KritonK on Monday July 24 2017, @08:20AM

    by KritonK (465) on Monday July 24 2017, @08:20AM (#543611)

    I wasn't referring to our infrastructure as Let's Encrypt users, but to Let's Encrypt's own infrastructure. Certbot communicates with Let's Encrypt's servers, which cost money to operate. There's also the cost of developing and maintaining certbot and the corresponding server software.