SoylentNews

Let's Encrypt Takes Free “Wildcard” Certificates Live

posted by cmn32480 on Wednesday March 14 2018, @02:16PM   
from the simple-cypers dept.

An Anonymous Coward writes:

Arstechnica reports

In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.

[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.

---

Original Submission

• Re:No Re:No (Score: 2) by TheRaven on Thursday March 15 2018, @08:39AM (2 children)

  by TheRaven (270) on Thursday March 15 2018, @08:39AM (#652840) Journal

  There are really only two alternatives:

  Option 1: The network is only used by a fixed set of clients, so you can push out your signing cert to all of them easily.

  Option 2: The network is used by clients that move from other networks to it. In this case, the air gap doesn't really buy you any security, because malware can infect one of the clients from the public network and can spread to your private network. In this case, you may as well set up a DMZ to push Let's Encrypt certs into the network.

  --
  sudo mod me up

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:No (Score: 0) by Anonymous Coward on Thursday March 15 2018, @09:04AM

  by Anonymous Coward on Thursday March 15 2018, @09:04AM (#652849)

  For your regular malware, you are right. However, there are other ways to prevent those (updates, not running as admin).

  A directed attack, on the other hand, is a lot easier if you have two way communication, and can attack one layer at a time, rather than needing to prepare everything ahead of time to sneak your attack in. It can be done - Stuxnet is an example - but your regular ADHD teen out to do some random damage is not going to take the time to find out the exact structure of the layers of security before even starting to write their attack code.

  Parent

• Re:No (Score: 2) by zocalo on Thursday March 15 2018, @11:11AM

  by zocalo (302) on Thursday March 15 2018, @11:11AM (#652891)

  I'd agree with option one on a general purpose network, engineering networks like these, not so much. *Every* change, no matter how minor or how many times it's been done before, needs paperwork, risk assessments, and approvals. "I want to replace an expired TLS certificate" = one set. "I want to push a new CA to all clients" (some of which are proprietary tools and may not support a script based install) = another set, and so on.
  
  Yes, a lot of the clients are fairly easy to push a new CA to, others just need a current cert and don't actually validate the entire trust chain so they're easy too (and could be selfsigned), the real PITAs are the propriatary tools that are at least partly managed by the vendor and don't tend to make the process easy *and* make people in management very twitchy because you're proposing a change to something they don't really understand but know that it's very expensive and very mission critical. Again, it's all about the paperwork and potential risk, not the cost, effort, or level of expertise, involved. The easiest and least frequent hoop to jump through is to standardise on a set of commercial certs from a widely recognised vendor that will work across every client and server and only require updating as infrequently as possible.

  --
  UNIX? They're not even circumcised! Savages!

  Parent