Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Thursday December 03 2015, @09:33PM   Printer-friendly
from the start-the-source-review-in-3....2....1..... dept.

EFF's "Let's Encrypt" Enters Public Beta

As of today, invitations are no longer needed to get a free certificated signed by the EFF's Let's Encrypt CA.

The user guide explains several options for the process, ranging from automatically setting up SSL for Apache or Nginx (support for Nginx is still experimental), to a manual process for those who would rather not run the installer as root.

Let's Encrypt CA issues short lived certificates (90 days), which shouldn't be a problem with a sufficiently automated renewal process. It looks like wildcard certificates won't be issued anytime soon (if at all), but you can get certificates that are good for multiple subdomains.

"Let's Encrypt" Project Enters Public Beta

The Electronic Frontier Foundation and Mozilla-backed Let's Encrypt certificate authority has now entered Public Beta:

So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now. If you have any questions, you can get answers on community.letsencrypt.org.

We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.

A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.

The Register reports:

The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.

Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.

Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.

[...] Full documentation is here and a quick start guide is here.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Thursday December 03 2015, @09:46PM

    by Anonymous Coward on Thursday December 03 2015, @09:46PM (#271572)

    Great, now I can trust these random people with my secure data instead trusting random people with my secure data!

    • (Score: 1, Interesting) by Anonymous Coward on Thursday December 03 2015, @09:50PM

      by Anonymous Coward on Thursday December 03 2015, @09:50PM (#271574)

      BUt the others cost money

      • (Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:01PM

        by Anonymous Coward on Thursday December 03 2015, @10:01PM (#271579)

        Yeah but the other guys charging some money is probably a good thing. If there is a small (or even tiny) cost for it, then it isn't as likely to be abused by some kind of super spam/auto creation job.

        I took a (VERY QUICK) look and didn't see how/if they have any mechanism to prevent someone form seeking a cert for say www.bankofamerica.com and using it to help build a copycat site which will not warn about untrusted certs for anyone tryusting these guys as a CA. Do they have something to prevent that?

        • (Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:11PM

          by Anonymous Coward on Thursday December 03 2015, @10:11PM (#271584)

          They do: It's called quantum computing. Ever heard of it?

        • (Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:15PM

          by Anonymous Coward on Thursday December 03 2015, @10:15PM (#271585)

          Is this really a valid concern?

          • (Score: 2) by edIII on Thursday December 03 2015, @10:34PM

            by edIII (791) on Thursday December 03 2015, @10:34PM (#271595)

            Absolutely not.

            Any CA, that isn't run by complete morons, is going to require proof of domain ownership. Something not difficult to do when all that is required is the the technical (or administrative?) contact for the domain be accurate. I'd imagine it works similar to other CAs where you have a limited number of of authentication options, all of which verify ownership. Renewals can most likely be automated without too much effort if the cert was already approved before.

            I would be completely shocked if the Let's Encrypt group was operating like that. Going to have label that as F.U.D.

            --
            Technically, lunchtime is at any moment. It's just a wave function.
            • (Score: 2, Informative) by Anonymous Coward on Thursday December 03 2015, @11:02PM

              by Anonymous Coward on Thursday December 03 2015, @11:02PM (#271603)

              They do [letsencrypt.org] and not FUD, just a little misinformed.

        • (Score: 4, Informative) by J053 on Thursday December 03 2015, @11:33PM

          by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Thursday December 03 2015, @11:33PM (#271615) Homepage
          The Let'sEncrypt people verify the domain in one of 2 ways (maybe more, but I've used both of these). For one method, they run a little standalone web server on the machine and verify that they can connect to it. So, unless you can hijack DNS, to get a cert for www.bankofamerica.com they would open a connection to https://www.bankofamerica.com [bankofamerica.com] and find it is not their client, and refuse to issue a cert. I discovered this when I forgot to shut down my webserver before requesting a cert.

          The other method can be used with a live web server, and simply involves writing a file into the DocumentRoot. For this method to work, you have to run the tool as root (actually, come to think of it, that probably applies to the first method, too). Then they just retrieve that file - if it works, the domain ownership is verified.

          They actually have thought about this....
          • (Score: 2) by Non Sequor on Friday December 04 2015, @12:32AM

            by Non Sequor (1005) on Friday December 04 2015, @12:32AM (#271633) Journal

            Doesn't that verification model amount to "pwnership=ownership".

            --
            Write your congressman. Tell him he sucks.
            • (Score: 2, Interesting) by Anonymous Coward on Friday December 04 2015, @12:41AM

              by Anonymous Coward on Friday December 04 2015, @12:41AM (#271635)

              > Doesn't that verification model amount to "pwnership=ownership".

              Of course it does. What do you think about Let's Encrypt makes it more vulnerable to that than any other certificate authority? If you pwn bankofamerica.com you can serve any malware you want from bankofamerica.com even with their multi-thousand dollar certs...

              • (Score: 2) by Non Sequor on Friday December 04 2015, @02:54AM

                by Non Sequor (1005) on Friday December 04 2015, @02:54AM (#271668) Journal

                If you deploy your attack directly on the bankofamerica.com server, it's more likely to be shut down quickly and any private keys that you had access to will be revoked. If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide. The fact that Let's Encrypt issued a certificate to bankofamerica.com will be public knowledge, but for all anyone knows, that just means that Bank of America IT was evaluating using Let's Encrypt for some purpose.

                If you have control of a DNS server for a network with a lot of users (maybe a well trafficked public wifi) spot, you could direct bankofamerica.com traffic to your own server, running a man in the middle attack on real content from the real bankofamerica.com. The users will punch in their account info, which you can log, and they shouldn't notice anything's wrong unless they check the cert and think that it's fishy that bankofamerica.com has a Let's Encrypt cert, so you can run the attack indefinitely with minimal risk. Maybe you're running this attack on a wide variety of websites based on a collection of certificates you've quietly amassed.

                Maybe I've missed something that prevents that attack, but it just seems like a certificate tied to any particular domain is a relatively valuable asset, whereas short term control of a web server may not be a high enough hurdle. What I think is a high enough hurdle, is if certificates are only given out after verifying that some trusted entity thinks that the entity applying for the cert exists and some confirmation that the person who is making the application isn't Jim the temp.

                --
                Write your congressman. Tell him he sucks.
                • (Score: 0) by Anonymous Coward on Friday December 04 2015, @06:08AM

                  by Anonymous Coward on Friday December 04 2015, @06:08AM (#271704)

                  > If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide.

                  No different than snatching BoA's cert while you are on their server.

                  > Maybe I've missed something that prevents that attack

                  Cert pinning.

                • (Score: 0) by Anonymous Coward on Friday December 04 2015, @05:54PM

                  by Anonymous Coward on Friday December 04 2015, @05:54PM (#271878)

                  To get a Let's Encrypt certificate for bankofamerica.com, you have to be able to serve arbitrary requests from that domain name to Let's Encrypt's servers. That is a bit more difficult than poisoning a WiFi network.

      • (Score: 3, Insightful) by theluggage on Thursday December 03 2015, @10:23PM

        by theluggage (1797) on Thursday December 03 2015, @10:23PM (#271591)

        BUt the others cost money

        ...no, there are free ones from legitimate providers around (e.g. StartSSL [startssl.com]) and all they really do is check that you have access to the server by sending an email to webmaster for that domain (which is a pain if webmaster has its spam filters set to maximum). As far as I can tell, "Lets Encrypt" achieves just as much security by establishing that you have enough access to the server to run their client.

        Quite honestly, these days, if you're doing anything moderately sensitive (e.g. taking payments) you should shell out for an extended validation certificate that shows your identity in the toolbar. Free certs are for people who just want to enable https (especially those who moan about the way modern browsers quite rightly discourage users from accepting self-signed certs).
         

        • (Score: 1, Insightful) by Anonymous Coward on Thursday December 03 2015, @10:54PM

          by Anonymous Coward on Thursday December 03 2015, @10:54PM (#271599)

          Quite honestly, these days, if you're doing anything moderately sensitive (e.g. taking payments) you should shell out for an extended validation certificate that shows your identity in the toolbar. Free certs are for people who just want to enable https (especially those who moan about the way modern browsers quite rightly discourage users from accepting self-signed certs).

          Exactly this. I've been keeping an eye on this project for just this reason. I'm a Mechanical Engineer by training, but double as the "IT guy" at a small business. I have practically zero formal training in IT, just years of being the go-to guy for people with computer problems. That's really all this company needs and can afford. Most of my computer skills are self learned from stumbling thru and doing things just to see if I can. Our small business website is quite simple - what do we do and how to contact us. No products to sell, no customer logins of any kind, no credit card numbers, etc. I'd like to enable https on our IIS webserver, but I know the bossman would say "hell no" if I asked for money for a formal cert. I believe some encryption is better than no encryption, so this is a great first step for small sites that want something more than a standard http site but have no real need for a high end certificate.

        • (Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:58PM

          by Anonymous Coward on Thursday December 03 2015, @10:58PM (#271600)

          Discouraging a self-signed cert is fine. Doing so while not warning about how insecure plain HTTP is not.

          Allowing unauthenticated HTTP go without scrutiny allows a MITM to do things like: strip the SSL and fake the :"secure" padlock with a favicon.

          • (Score: 2) by Pino P on Friday December 04 2015, @01:28AM

            by Pino P (4721) on Friday December 04 2015, @01:28AM (#271650) Journal

            Browsers warn about unknown CAs but not about clear HTTP because their architects prefer a true sense of insecurity to a false sense of security.

            • (Score: 0) by Anonymous Coward on Friday December 04 2015, @08:28AM

              by Anonymous Coward on Friday December 04 2015, @08:28AM (#271723)

              You can do https without showing the padlock. You can put a line across the word "https" like Chrome. And Firefox, which by default doesn't even show the protocol anymore could simply treat self-signed https exactly like it treats plain http.

              But of course that would not do anything to encourage corporate greed.

    • (Score: 3, Informative) by edIII on Thursday December 03 2015, @10:17PM

      by edIII (791) on Thursday December 03 2015, @10:17PM (#271586)

      Trust? Never trust anyone beyond what your security protocols allow.

      Security is provided in layers. A free CA, is better than no CA any day. I think what people objected to (I do), are the hundreds of dollars that CAs demand for a certificate, and never actually deliver all of that value. If Let's Encrypt gets hacked (which it probably will at some point) then the readily apparent saving grace was that it was free. A good deal of the major CAs have all been hacked in recent memory, and are on the defensive as much as any enterprise. The biggest and most secure CA (or CA-like) corporation got pwned; RSA, The principles of which that invented modern encryption protocols. Not easily either. A large amount of brain power (state sponsored brain power) was used to analyze the RSA attack for vulnerabilities. So it's going to extremely difficult to convince me that any corporation is effectively immune to attacks.

      The real question is do you want to trust random people in Group A asking you for hundreds of dollars, of random people in Group B who ask for none and openly state they only wish for you to be secure? Considering the groups of people and talent behind the Let's Encrypt people, I'm going to believe they can provide me at least the same level of security as Comodo, NameCheap, etc. All for free too, which may actually allow small businesses to become protected.

      Other than the primary web presence, most of my clients in the last 20 years have declined to spend hundreds of dollars to remove the "nuisance/nagware" messages coming from their web browsers. I literally had a client tell me, "You're crazy if you think I'm spending $500 to get rid of some nag messages on Firefox". I've spent a huge amount of time deliberately weakening security by allowing "untrusted" and self-signed security certs in various platforms. Anything with a trusted cert is usually provided by SaaS vendors and not in-house. Anything that I've protected lately has simply been because I can do it for $10 per year and I set it up without the client's knowledge, or my attempt to sell something they don't believe is worth it.

      Regardless of how trustworthy you feel they are, unless you directly accuse them of being criminals, it's rather foolish to deny their offer of a CA for all of your systems and unprotected client systems for free. Have you gone through all of the steps, time, effort, and great skill to setup your own CA? I doubt it. I'm considering an in-house CA for a protected internal network, and it's not a trivial pursuit by any means.

      Let's Encrypt is a really simple proposition: Let's Encrypt everything. I agree.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 2, Insightful) by Anonymous Coward on Thursday December 03 2015, @11:50PM

      by Anonymous Coward on Thursday December 03 2015, @11:50PM (#271619)

      > Great, now I can trust these random people with my secure data instead trusting random people with my secure data!

      This project is not about securing data. Nobody should expect that.

      It is about frustrating the NSA and their fellow travelers -- the idea is to get as much network traffic encrypted as possible. Previously they've operated with the goal of "sniff it all, collect it all, know it all, process it all, exploit it all." [commondreams.org] This initiative is intended to make that first step much less practical for them while being cheap to implement for everybody else.

      It won't be a panacea, far from it. The NSA has surely been working on countermeasures and they literally have billions to throw at the problem But the status quo has to change and this is one part of that change.

    • (Score: 2) by TheLink on Friday December 04 2015, @03:44AM

      by TheLink (332) on Friday December 04 2015, @03:44AM (#271686) Journal

      1) Hardly anyone in the business really cares that much about security[1]. All they want is some security or appearance of it, and no stupid browser warnings. LetsEncrypt potentially provides this.
      2) The truth is the far bigger risk is from the site getting hacked or "compelled" and then all the data and transactions are at risk not just the your transactions.

      Analogy: HTTPS/TLS are the vans transporting cash to/from the "Banks". The "Banks" are the sites you use - which could be Soylent, Google, Facebook or websites of real banks. Often it makes sense to attack the Bank than to attack the vans, especially when in most cases the vans are harder to crack than the Banks.

      From what I see while it might be easier for a hostile Government to pwn your Facebook connection than pwn Facebook, it's much easier for that Gov to pwn your browser/device/computer connected to Facebook, and more likely for a hacker to pwn your bank or browser instead of MITMing your connection. And in the case of Facebook and similar, quite often a Gov can request/pay Facebook to hand over the data: https://govtrequests.facebook.com/ [facebook.com]
      https://govtrequests.facebook.com/country/United%20States/2015-H1/ [facebook.com]
      https://www.google.com/transparencyreport/userdatarequests/ [google.com]
      https://www.google.com/transparencyreport/userdatarequests/US/ [google.com]

      [1] If people really did care web browsers would have a better version of Certificate Patrol's feature - which warns users of suspicious certificate changes.

      And the affected people would make a bigger fuss about this problem: http://www.proper.com/root-cert-problem/ [proper.com]

      In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings. This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certification authority as untrusted unless the user turns off the Windows component that controls this feature.

      Note: Windows Vista works quite differently than Windows XP SP2 in this regard, and has significant but different problems with Microsoft-trusted root certificates: the user cannot mark them as untrusted. The differences between the two versions of Windows are covered in the last section.

      What are the odds some entity controlled by a Gov that might be hostile or turn hostile has a cert is signed by Microsoft? To me this is a far better argument about Windows being insecure than the usual ignorant arguments that "Unix/Linux style security is better". Windows is not really easier to pwn by hackers than Linux, the problem with Windows is it is pre-pwned ;).

      I believe Google Chrome on Windows uses the same cert infra as IE, Firefox doesn't. Google protects itself (its sites) with cert pinning, so tell me how much does Google actually care about user security?

      • (Score: 1, Informative) by Anonymous Coward on Friday December 04 2015, @09:40AM

        by Anonymous Coward on Friday December 04 2015, @09:40AM (#271744)

        And the vast majority of attacks will continue to be on the individual users, who have less security on their computers, and when their computer is infected with a trojan, neither HTTPS nor any security measures on the server side will be helpful; the only thing that then can still provide security is if a separate, non-compromised item is involved in the transaction.

  • (Score: 3, Insightful) by blackhawk on Thursday December 03 2015, @10:23PM

    by blackhawk (5275) on Thursday December 03 2015, @10:23PM (#271593)

    I'm an indie dev working on a project that will take me years to complete. Some parts would benefit from having SSL encrypted back ends I can access and test on. Now, I could get test certs, I could pay for multiple certs / year or one that covers *.mydomain.com, or I could just jump in and use this service on any machine / domain at no cost.

    There's literally no downside for someone like me, and plenty of upside.

    • (Score: 0, Troll) by Anonymous Coward on Thursday December 03 2015, @11:20PM

      by Anonymous Coward on Thursday December 03 2015, @11:20PM (#271610)

      I'm an indie dev working on a project that will take me years to complete.

      Translation: I'm an 'indie' '''dev''' who will give up after a few months of development.

      • (Score: 2) by blackhawk on Friday December 04 2015, @10:58AM

        by blackhawk (5275) on Friday December 04 2015, @10:58AM (#271759)

        I've already been working on this project for over 2 years. I have no illusions about what I am doing and no problems finding the motivation to continue.

    • (Score: 1, Insightful) by Anonymous Coward on Thursday December 03 2015, @11:41PM

      by Anonymous Coward on Thursday December 03 2015, @11:41PM (#271618)

      > There's literally no downside for someone like me, and plenty of upside.

      If you are just doing dev work you can use self-signed certs. You'll get a scary warning the first time you load the page but once you've told your browser to accept the self-signed cert everything will just work. This systems relies on their software being in near constant contact with the Let's Encrypt project's servers which is a lot more fragile.

      • (Score: 1) by xav on Friday December 04 2015, @03:11AM

        by xav (5579) on Friday December 04 2015, @03:11AM (#271673)

        You'll get a scary warning the first time you load the page

        Unless they import their CA certificate into their browser.

      • (Score: 2) by blackhawk on Friday December 04 2015, @11:06AM

        by blackhawk (5275) on Friday December 04 2015, @11:06AM (#271761)

        Six of one, half a a dozen of the other. The certs last 90 days, so hopefully the process won't be too "fragile". I can't see a good reason for "constant contact", but perhaps you can elaborate on that aspect.

        It's worth remembering, that I am lead dev and usually also the admin, and anything that lowers the amount of time I have to spend dicking around with admin stuff is a win. I do have to work with others, often ones with few PC skills beyond the DCC tools, so a solution that is totally transparent will likely save me a few hours every time I spin up a new service e.g. source control, test web services, remote back ends, whatever.

  • (Score: 4, Funny) by Thexalon on Thursday December 03 2015, @10:39PM

    by Thexalon (636) on Thursday December 03 2015, @10:39PM (#271596)

    I feel a great disturbance in the 'Net, as if thousands of schlock Certificate Authorities cried out in terror and were suddenly silenced.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
  • (Score: 0) by Anonymous Coward on Friday December 04 2015, @11:36AM

    by Anonymous Coward on Friday December 04 2015, @11:36AM (#271766)

    I wonder how long it will take them to add Windows support, if they ever bother.

  • (Score: 0) by Anonymous Coward on Friday December 04 2015, @02:57PM

    by Anonymous Coward on Friday December 04 2015, @02:57PM (#271804)

    Just give me a manual option FFS...

    If their requirement for running some program on the server catches on then it will just be a matter of time before all the CAs start doing it that way. Seriously, what is their objection to providing a simple manual option like EVERY OTHER CA? Damnit, EFF! I usually like you guys...

    • (Score: 2) by theluggage on Friday December 04 2015, @04:57PM

      by theluggage (1797) on Friday December 04 2015, @04:57PM (#271853)

      Just give me a manual option FFS...

      What, like this? [readthedocs.org]

      • (Score: 0) by Anonymous Coward on Sunday December 06 2015, @10:24AM

        by Anonymous Coward on Sunday December 06 2015, @10:24AM (#272440)

        That still requires you to install the app but not necessarily on the target server... How about they provide a web page like every other CA?