SoylentNews is people
SoylentNews
from the start-the-source-review-in-3....2....1..... dept.
EFF's "Let's Encrypt" Enters Public Beta
As of today, invitations are no longer needed to get a free certificated signed by the EFF's Let's Encrypt CA.
The user guide explains several options for the process, ranging from automatically setting up SSL for Apache or Nginx (support for Nginx is still experimental), to a manual process for those who would rather not run the installer as root.
Let's Encrypt CA issues short lived certificates (90 days), which shouldn't be a problem with a sufficiently automated renewal process. It looks like wildcard certificates won't be issued anytime soon (if at all), but you can get certificates that are good for multiple subdomains.
"Let's Encrypt" Project Enters Public Beta
The Electronic Frontier Foundation and Mozilla-backed Let's Encrypt certificate authority has now entered Public Beta:
So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now. If you have any questions, you can get answers on community.letsencrypt.org.
We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.
A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.
The Register reports:
The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.
Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.
Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.
[...] Full documentation is here and a quick start guide is here.
(Score: 1, Interesting) by Anonymous Coward on Thursday December 03 2015, @09:50PM
BUt the others cost money
(Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:01PM
Yeah but the other guys charging some money is probably a good thing. If there is a small (or even tiny) cost for it, then it isn't as likely to be abused by some kind of super spam/auto creation job.
I took a (VERY QUICK) look and didn't see how/if they have any mechanism to prevent someone form seeking a cert for say www.bankofamerica.com and using it to help build a copycat site which will not warn about untrusted certs for anyone tryusting these guys as a CA. Do they have something to prevent that?
(Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:11PM
They do: It's called quantum computing. Ever heard of it?
(Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:15PM
Is this really a valid concern?
(Score: 2) by edIII on Thursday December 03 2015, @10:34PM
Absolutely not.
Any CA, that isn't run by complete morons, is going to require proof of domain ownership. Something not difficult to do when all that is required is the the technical (or administrative?) contact for the domain be accurate. I'd imagine it works similar to other CAs where you have a limited number of of authentication options, all of which verify ownership. Renewals can most likely be automated without too much effort if the cert was already approved before.
I would be completely shocked if the Let's Encrypt group was operating like that. Going to have label that as F.U.D.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Informative) by Anonymous Coward on Thursday December 03 2015, @11:02PM
They do [letsencrypt.org] and not FUD, just a little misinformed.
(Score: 4, Informative) by J053 on Thursday December 03 2015, @11:33PM
The other method can be used with a live web server, and simply involves writing a file into the DocumentRoot. For this method to work, you have to run the tool as root (actually, come to think of it, that probably applies to the first method, too). Then they just retrieve that file - if it works, the domain ownership is verified.
They actually have thought about this....
(Score: 2) by Non Sequor on Friday December 04 2015, @12:32AM
Doesn't that verification model amount to "pwnership=ownership".
Write your congressman. Tell him he sucks.
(Score: 2, Interesting) by Anonymous Coward on Friday December 04 2015, @12:41AM
> Doesn't that verification model amount to "pwnership=ownership".
Of course it does. What do you think about Let's Encrypt makes it more vulnerable to that than any other certificate authority? If you pwn bankofamerica.com you can serve any malware you want from bankofamerica.com even with their multi-thousand dollar certs...
(Score: 2) by Non Sequor on Friday December 04 2015, @02:54AM
If you deploy your attack directly on the bankofamerica.com server, it's more likely to be shut down quickly and any private keys that you had access to will be revoked. If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide. The fact that Let's Encrypt issued a certificate to bankofamerica.com will be public knowledge, but for all anyone knows, that just means that Bank of America IT was evaluating using Let's Encrypt for some purpose.
If you have control of a DNS server for a network with a lot of users (maybe a well trafficked public wifi) spot, you could direct bankofamerica.com traffic to your own server, running a man in the middle attack on real content from the real bankofamerica.com. The users will punch in their account info, which you can log, and they shouldn't notice anything's wrong unless they check the cert and think that it's fishy that bankofamerica.com has a Let's Encrypt cert, so you can run the attack indefinitely with minimal risk. Maybe you're running this attack on a wide variety of websites based on a collection of certificates you've quietly amassed.
Maybe I've missed something that prevents that attack, but it just seems like a certificate tied to any particular domain is a relatively valuable asset, whereas short term control of a web server may not be a high enough hurdle. What I think is a high enough hurdle, is if certificates are only given out after verifying that some trusted entity thinks that the entity applying for the cert exists and some confirmation that the person who is making the application isn't Jim the temp.
Write your congressman. Tell him he sucks.
(Score: 0) by Anonymous Coward on Friday December 04 2015, @06:08AM
> If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide.
No different than snatching BoA's cert while you are on their server.
> Maybe I've missed something that prevents that attack
Cert pinning.
(Score: 0) by Anonymous Coward on Friday December 04 2015, @05:54PM
To get a Let's Encrypt certificate for bankofamerica.com, you have to be able to serve arbitrary requests from that domain name to Let's Encrypt's servers. That is a bit more difficult than poisoning a WiFi network.
(Score: 3, Insightful) by theluggage on Thursday December 03 2015, @10:23PM
BUt the others cost money
...no, there are free ones from legitimate providers around (e.g. StartSSL [startssl.com]) and all they really do is check that you have access to the server by sending an email to webmaster for that domain (which is a pain if webmaster has its spam filters set to maximum). As far as I can tell, "Lets Encrypt" achieves just as much security by establishing that you have enough access to the server to run their client.
Quite honestly, these days, if you're doing anything moderately sensitive (e.g. taking payments) you should shell out for an extended validation certificate that shows your identity in the toolbar. Free certs are for people who just want to enable https (especially those who moan about the way modern browsers quite rightly discourage users from accepting self-signed certs).
(Score: 1, Insightful) by Anonymous Coward on Thursday December 03 2015, @10:54PM
Quite honestly, these days, if you're doing anything moderately sensitive (e.g. taking payments) you should shell out for an extended validation certificate that shows your identity in the toolbar. Free certs are for people who just want to enable https (especially those who moan about the way modern browsers quite rightly discourage users from accepting self-signed certs).
Exactly this. I've been keeping an eye on this project for just this reason. I'm a Mechanical Engineer by training, but double as the "IT guy" at a small business. I have practically zero formal training in IT, just years of being the go-to guy for people with computer problems. That's really all this company needs and can afford. Most of my computer skills are self learned from stumbling thru and doing things just to see if I can. Our small business website is quite simple - what do we do and how to contact us. No products to sell, no customer logins of any kind, no credit card numbers, etc. I'd like to enable https on our IIS webserver, but I know the bossman would say "hell no" if I asked for money for a formal cert. I believe some encryption is better than no encryption, so this is a great first step for small sites that want something more than a standard http site but have no real need for a high end certificate.
(Score: 0) by Anonymous Coward on Thursday December 03 2015, @10:58PM
Discouraging a self-signed cert is fine. Doing so while not warning about how insecure plain HTTP is not.
Allowing unauthenticated HTTP go without scrutiny allows a MITM to do things like: strip the SSL and fake the :"secure" padlock with a favicon.
(Score: 2) by Pino P on Friday December 04 2015, @01:28AM
Browsers warn about unknown CAs but not about clear HTTP because their architects prefer a true sense of insecurity to a false sense of security.
(Score: 0) by Anonymous Coward on Friday December 04 2015, @08:28AM
You can do https without showing the padlock. You can put a line across the word "https" like Chrome. And Firefox, which by default doesn't even show the protocol anymore could simply treat self-signed https exactly like it treats plain http.
But of course that would not do anything to encourage corporate greed.