Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt Takes Free “Wildcard” Certificates Live

posted by cmn32480 on Wednesday March 14 2018, @02:16PM   Printer-friendly
from the simple-cypers dept.

An Anonymous Coward writes:

Arstechnica reports

In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.

[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt Takes Free “Wildcard” Certificates Live | Log In/Create an Account | Top | 75 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday March 15 2018, @09:58AM

    by Anonymous Coward on Thursday March 15 2018, @09:58AM (#652869)

    Why bother? The CA model is broken by design.

    The only secure options are self signed certificates with public key pinning (SSH style)[1] and DANE (DNS-based certificate validation), and I'm not entirely sure that the latter doesn't just move the problems from the CAs to the DNS root servers.

    Of course none of the browsers support any of the secure solutions. I don't know how much they get paid to support the broken CA model, but it better be enough to make risking jail time worth it, because jail time is what should happen to those who present https as having anything to do with security.

    [1] Yes, this has the problem of first visit. But so does the current CA model. The certificate doesn't say anything about trustworthiness, only that the server is who it pretends to be. So, a web server pretends to be someone I have never done business with before, which doesn't make it anymore trustworthy than a self-signed certificate I haven't seen before for someone I haven't done business with before.

    What we need to validate is that this web server is still the one I successfully did business with last month, and that's ensured by self signed certificates with public key pinning, and NOT by the current CA model. The current CA model only certifies that "Chinese telecom says that this server is still the the same domain as StartCom said it was last month".