SoylentNews is people
SoylentNews
In this short article Let’s Encrypt lists challenges ahead, like service growth, new features and infrastructure and finances.
Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.
I think Let's Encrypt is a great service. Want to share your war story? Can you think of any downsides or threats related to all this?
[Ed note: SoylentNews uses Gandi for "soylentnews.org" and uses LetsEncrypt for all other domains and subdomains. --martyb]
(Score: 3, Interesting) by requerdanos on Wednesday March 07 2018, @01:12AM (4 children)
While you certainly have a point, I don't think it's quite as bad as all that, what with many/most GNU/Linux distributions managing trusted certificates separately from browsers. That can't make older software support newer algorithms, of course, and like you, I find the forced deprecation of older algorithms to be a bad thing, not a security panacea.
(Score: 4, Insightful) by edIII on Wednesday March 07 2018, @02:25AM
Is that what is happening? I don't see forced deprecation of older algorithms, but forced deprecation of compromised algorithms, and algorithms proven to be weak when compared to today's cryptanalysis capabilities.
You can either choose to create a collection of acceptable algorithms that supports as wide a range of devices and browsers as possible, or you security harden, and tighten it down to just a few algorithms. While not a panacea, it's sure a good start. Especially for banking websites, or websites with sensitive data.
More, and more, my medical records are coming online (despite my efforts to destroy all the copies everywhere), and I'm not particularly enthused to see the IT guy decide optimum device support is more important than optimum security.
I must take the opposite view here. Let's revoke trusted certificates from people not operating with security in mind, and keep supported algorithms to just that which has been acid tested and still passes. The moment a vulnerability is found, that can't be mitigated, we remove the algorithm.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday March 07 2018, @08:10AM (1 child)
I have switched the web interfaces of my access points from HTTPS to HTTP, because none of the browsers support the encryption algorithms that the access point firmware uses.
Browser manufacturers are threatening to drop support for plain HTTP in a couple of years. Then I will no longer have any option to admin my access points.
Note to self: Next time only buy access points and switches with RS-232, that will keep working forever.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday March 07 2018, @05:08PM
your access points should die in a fire.
(Score: 2) by TheRaven on Wednesday March 07 2018, @10:05AM
It's not so much the new certs, or even the new algorithms, it's newer versions of the TLS protocol. All SSL versions and TLS 1.0 have known attacks and so a lot of servers now simply refuse to support clients requesting versions prior to 1.1, and an increasing number require 1.2. This was what killed both my ancient Android phone and my partner's newer Windows Phone one: they didn't support the versions of the TLS protocol that things needed.
That said, TLS 1.2 was finalised in 2008. Software that doesn't support a decade-old version of a key security protocol is probably a sign that it also has other security vulnerabilities and shouldn't be allowed on the Internet.
sudo mod me up