Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Thursday December 03 2015, @09:33PM   Printer-friendly
from the start-the-source-review-in-3....2....1..... dept.

EFF's "Let's Encrypt" Enters Public Beta

As of today, invitations are no longer needed to get a free certificated signed by the EFF's Let's Encrypt CA.

The user guide explains several options for the process, ranging from automatically setting up SSL for Apache or Nginx (support for Nginx is still experimental), to a manual process for those who would rather not run the installer as root.

Let's Encrypt CA issues short lived certificates (90 days), which shouldn't be a problem with a sufficiently automated renewal process. It looks like wildcard certificates won't be issued anytime soon (if at all), but you can get certificates that are good for multiple subdomains.

"Let's Encrypt" Project Enters Public Beta

The Electronic Frontier Foundation and Mozilla-backed Let's Encrypt certificate authority has now entered Public Beta:

So if you run a server, and need certificates to deploy HTTPS, you can run the beta client and get one right now. If you have any questions, you can get answers on community.letsencrypt.org.

We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.

A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.

The Register reports:

The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.

Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft's Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.

Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that's it.

[...] Full documentation is here and a quick start guide is here.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Non Sequor on Friday December 04 2015, @12:32AM

    by Non Sequor (1005) on Friday December 04 2015, @12:32AM (#271633) Journal

    Doesn't that verification model amount to "pwnership=ownership".

    --
    Write your congressman. Tell him he sucks.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Interesting) by Anonymous Coward on Friday December 04 2015, @12:41AM

    by Anonymous Coward on Friday December 04 2015, @12:41AM (#271635)

    > Doesn't that verification model amount to "pwnership=ownership".

    Of course it does. What do you think about Let's Encrypt makes it more vulnerable to that than any other certificate authority? If you pwn bankofamerica.com you can serve any malware you want from bankofamerica.com even with their multi-thousand dollar certs...

    • (Score: 2) by Non Sequor on Friday December 04 2015, @02:54AM

      by Non Sequor (1005) on Friday December 04 2015, @02:54AM (#271668) Journal

      If you deploy your attack directly on the bankofamerica.com server, it's more likely to be shut down quickly and any private keys that you had access to will be revoked. If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide. The fact that Let's Encrypt issued a certificate to bankofamerica.com will be public knowledge, but for all anyone knows, that just means that Bank of America IT was evaluating using Let's Encrypt for some purpose.

      If you have control of a DNS server for a network with a lot of users (maybe a well trafficked public wifi) spot, you could direct bankofamerica.com traffic to your own server, running a man in the middle attack on real content from the real bankofamerica.com. The users will punch in their account info, which you can log, and they shouldn't notice anything's wrong unless they check the cert and think that it's fishy that bankofamerica.com has a Let's Encrypt cert, so you can run the attack indefinitely with minimal risk. Maybe you're running this attack on a wide variety of websites based on a collection of certificates you've quietly amassed.

      Maybe I've missed something that prevents that attack, but it just seems like a certificate tied to any particular domain is a relatively valuable asset, whereas short term control of a web server may not be a high enough hurdle. What I think is a high enough hurdle, is if certificates are only given out after verifying that some trusted entity thinks that the entity applying for the cert exists and some confirmation that the person who is making the application isn't Jim the temp.

      --
      Write your congressman. Tell him he sucks.
      • (Score: 0) by Anonymous Coward on Friday December 04 2015, @06:08AM

        by Anonymous Coward on Friday December 04 2015, @06:08AM (#271704)

        > If instead, you use the opportunity to just get a Let's Encrypt certificate, it may be easier to hide.

        No different than snatching BoA's cert while you are on their server.

        > Maybe I've missed something that prevents that attack

        Cert pinning.

      • (Score: 0) by Anonymous Coward on Friday December 04 2015, @05:54PM

        by Anonymous Coward on Friday December 04 2015, @05:54PM (#271878)

        To get a Let's Encrypt certificate for bankofamerica.com, you have to be able to serve arbitrary requests from that domain name to Let's Encrypt's servers. That is a bit more difficult than poisoning a WiFi network.