SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Let’s Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.
The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software—discovered and patched this past Sunday–impacted the way its software checked domain ownership before issuing certificates. However, users grumbled that this was not enough time to correct the problem.
Users and major integrators of Let’s Encrypt managed to replace more than 1.7 million of the affected certificates by the original deadline; however, more than 1 million were left that would have been revoked, causing the company to rethink its plan, a Let’s Encrypt spokeswoman told Threatpost late Wednesday.
“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline,” Josh Aas, executive director for Let’s Encrypt said in a blog post updating users of the situation Wednesday.
The company’s plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as “445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let’s Encrypt,” Aas wrote in the post.
“We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users,” he wrote.
Disclaimer: SoylentNews uses Let's Encrypt certificates.
Previously:
HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
(Score: 5, Insightful) by Thexalon on Thursday March 05 2020, @08:08PM (2 children)
No, it isn't.
The number you want to measure is the amount of time and money needed to break security, and the value of the target. To use the meatspace version, no security is worse than a couple of mall cops is worse than a military base perimeter, but that doesn't mean that there aren't places where a couple of mall cops or even no security at all is appropriate, nor does it mean that a military base perimeter can't be breached by somebody willing to expend a lot of time and effort and money and lives to do so.
So, for example, I run some tiny websites on a volunteer basis for some non-profits. And there's no sense in spending a huge amount of time or money on those sites' security, because there's no sensitive data on them, and not that much of a problem if I have to shut the sites down completely for a while. By contrast, the websites for 8-figure online businesses I'm responsible for get a lot more of my monitoring and attention.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Interesting) by Anonymous Coward on Thursday March 05 2020, @09:48PM
To expand on this: the value of almost all web traffic, by itself, is approximately zero. This means for most sites, the value of any security system is approximately nothing. Thus, excepting hobbyists who like to tinker with their servers for fun, in most cases you are wasting your time if you spend more than approximately zero minutes securing your website, and you are wasting your money if you spend more than approximately zero dollars on it.
This essentially the crux of what makes Let's Encrypt so great: it brings the cost of setting up HTTPS on most sites down to somewhere between "nothing" and "bugger all": you just run certbot and you are done.
Before Let's Encrypt launched most people running webservers would have understood this cost/benefit -- even though they may not have been exactly aware of it. I attended a presentation by Seth Schoen around a year before the launch where he said something like (paraphrasing from memory) "it currently takes about an hour to setup HTTPS on a website, and from asking server administrators why they weren't using HTTPS the answer was it was too much work". Those administrators were not stupid, they were right: it was too much work. They, quite rationally, would have more rewarding things to do with that hour.
(Score: 2) by FatPhil on Friday March 06 2020, @11:55AM
All costs above more than the amount of resources available are effectively equal to infinity, as there's no test that can be performed that can distinguish them.
Of course there's the "attacks always improve" caveat, but that's more of an issue for the symmetric side, which tends to be renegotiated via the PKI side often enough that breaks would be very limited in scope, so the cost of the gains for the effort are diminished.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves