Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday March 06 2018, @11:49PM   Printer-friendly
from the green-padlock dept.

In this short article Let’s Encrypt lists challenges ahead, like service growth, new features and infrastructure and finances.

Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

I think Let's Encrypt is a great service. Want to share your war story? Can you think of any downsides or threats related to all this?

[Ed note: SoylentNews uses Gandi for "soylentnews.org" and uses LetsEncrypt for all other domains and subdomains. --martyb]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Disagree) by ledow on Wednesday March 07 2018, @08:11AM (1 child)

    by ledow (5567) on Wednesday March 07 2018, @08:11AM (#648922) Homepage

    Self-signed certs is easy to fix - accept the certificate into your store and browsers will shut up.

    But un-encrypted pages is just idiotic even for local networks in this day and age, if you have even two users rather than one. XSS attacks on router settings pages, password sniffing, and even just plain fakery.

    The "well, home users don't need to worry about that because they're the only one on the local network" thing is dead already, because not only are such people in the absolute minority but because it's stupid to let down everyone's guard just for the reasonthat they might have to run a browser written in this decade and click "I accept" once in a while.

    Starting Score:    1  point
    Moderation   0  
       Disagree=1, Total=1
    Extra 'Disagree' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Informative) by Pino P on Thursday March 08 2018, @01:38AM

    by Pino P (4721) on Thursday March 08 2018, @01:38AM (#649267) Journal

    Self-signed certs is easy to fix - accept the certificate into your store and browsers will shut up.

    Provided that the following are true:

    • The user agent provides a persistent way to trust unknown-issuer certificates at all. Major PC web browsers do, at least for top-level navigation to an HTML document. But it might not be possible for transcluded resources, such as img, video, iframe, or resources accessed through a CORS XMLHttpRequest, unless the user has already navigated to a document on the same domain. And many non-PC devices including a web browser do not, instead enforcing a policy intended to protect non-technical users from themselves.
    • The user agent offers a practical means to verify the certificate's fingerprint before accepting it. This includes changing the wording of the interstitial specifically for unknown-issuer certificates presented by IP addresses on the same subnet, so that the fingerprint is front and center the way it is for SSH.
    • The server also displays the certificate's fingerprint through some means. A printer could print its certificate on paper or use the same status display that it uses for PC LOAD LETTER (i.e. out of paper) notifications, but a router might have more trouble.