SoylentNews is people
SoylentNews
Arstechnica reports
In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.
[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.
(Score: 2) by Thexalon on Wednesday March 14 2018, @03:13PM (7 children)
For those who are using SSL certs for simply verifying a domain, these certs are really easy to manage. Of course, companies who want you to shell out hard-earned cash for a less convenient service to do the same thing aren't going to tell you that the option even exists.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Wednesday March 14 2018, @03:41PM (1 child)
Having to worry about something once every 35.5 months is less convenient than having to worry about something every two and a half months? Really?
(Score: 0) by Anonymous Coward on Wednesday March 14 2018, @04:12PM
I think they are referring to how easy it is to renew a LetsEncrypt cert if you are using it for a simple website.
(Score: 2) by JoeMerchant on Wednesday March 14 2018, @04:25PM (4 children)
So, what safeguards are in-place to keep a nefarious 3rd party from assuming my identity with one of these free certificates and thus preventing me from claiming my true identity later, when I get around to wanting to?
🌻🌻 [google.com]
(Score: 4, Informative) by urza9814 on Wednesday March 14 2018, @04:52PM (3 children)
They validate that you're able to alter the DNS records or files present on the webserver it points to. So unless this nefarious 3rd party can alter your DNS records or the contents of your servers, they can't validate the ownership to LE and they won't be able to get a cert. And if they *can* alter that data, you're pretty screwed anyway.
(Score: 2) by JoeMerchant on Wednesday March 14 2018, @06:04PM
Better than I expected... probably as good as we want it (anything "better" would be much less convenient.)
🌻🌻 [google.com]
(Score: 2) by Thexalon on Wednesday March 14 2018, @06:07PM (1 child)
And to follow-up, that's all the basic SSL certs available commercially do as well. For anything more than that, you need an EV certificate, which you can buy and requires much more paperwork to prove you are who you say you are, and gives users additional confirmation of that identity in the address bar.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by urza9814 on Wednesday March 14 2018, @06:35PM
Yup. I did own a commercial cert before I started using LE. I bought it from the same company where I purchased my domain, which would have made proof of ownership rather redundant...but IIRC they made no attempt to validate anything at all. I'm sure their backend did some check to confirm that the cert and the domain were owned by the same account, but that was probably it.
So perhaps with LE they could get a fake cert by doing a MITM somewhere between your server and LE's...but with a commercial cert they could probably do the same, or MITM your login to the registrar, or phish your account details...so overall the security seems about the same. Also I think once you get LE set up once, as long as you renew before the cert expires, that existing cert will be used to secure the connections when requesting a renewal. So that might help. Not entirely sure though.