Slashdot Mirror

My god! I am not missing any point. Do you think that I renew my certs manually and that your provider is the only one to automate the process??? Of course not, I have a script in a cron job that takes care of it.

Again RTFM, here you go since that seems hard to understand for you:

https://letsencrypt.org/2015/1...

You can renew a lot more often. Renewals are only limited by the rate limits and these allow renewing even after you've hit the 20-certs-per-week limit for a domain. Acme-client on FreeBSD defaults to renewing every week, so even a few failures will not cause problems.

How does it demonstrate that? Can you explain specifically what makes this better than self-signed certs? What is the basis of trust used to establish ownership? What prevents an attacker with access to a victims wires from using LE to obtain fraudulent certificates?

Public key cryptography. The client has to satisfy both the domain control challenge, and sign a nonce provided by the CA. The domain control challenge establishes control over the domain. The signed nonce provides client identity verification.

https://letsencrypt.org/how-it-works/

SSL is now completely free via let's encrypt.

Let's Encrypt requires a fully qualified domain name (FQDN) under a well-known top-level domain (TLD), not an IP address in RFC 1918 space or a name under a made-up TLD such as .local or .internal. So do all other CAs whose root certificates are included in Mozilla NSS, as a FQDN is one of the Baseline Requirements adopted by the CA/Browser Forum.

Domains are cheap.

Cheap enough for every head of household to buy and to continue to renew in perpetuity? Because buying a domain is the only way to get a certificate for hosts on your LAN that visitors' devices will trust, and a certificate is the only way you're going to satisfy the "Secure Contexts" requirement for recently introduced JavaScript APIs.

Free ones are available.

Namely?

If you're referring to subdomains offered by dynamic DNS providers, these providers have to be on Mozilla's Public Suffix List (PSL). If a domain isn't already on the PSL, and 20 other users of subdomains under the same domain have obtained certificates in the past week, Let's Encrypt will deny you a certificate, citing its rate limit policy. If a domain is on the PSL, each subdomain gets its own separate rate limiting bucket of 20 certificates per subdomain per week. In addition, submissions to the PSL must be made by the dynamic DNS provider as a pull request through GitHub.com, and use of GitHub.com requires running proprietary software written in JavaScript on your computer.

"It takes a few weeks to process requests" according to Rate Limits. So I don't see how it'd necessarily be faster than a PSL addition.

Well, Let's Encrypt certificates are now going to be treated like self-signed certificates. Don't believe me? Just wait and see.

With both Mozilla and Google as "major sponsors" of Let's Encrypt listed on the front page, I don't see how this will happen any time soon. If Microsoft and Apple distrust Let's Encrypt for following the same CA/Browser Forum Baseline Requirements as every other certificate authority issuing domain-validated (DV) certificates, the only way to avoid a double standard would be to distrust all DV certificates. And as of today, the service formerly known as Hotmail appears to be using a DV certificate.

Read: https://letsencrypt.org/2015/1...

While they do conclude that they don't see CAs role for (DV certificates) to protect against phishing... They do already lookup domain names in Google Safe Browsing API before issuing certificates.

From a puristic point of view the purpose of a certificate is to prove that you are talking to example.com, and not some other domain. Verifying that example.com is your bank and not registered by a scammer is a not the purpose of a certificate.

That said, it seems they already are looking up in Google Safe Browsing API, so at-least there is some barrier to entry. And while I agree that it's not a CAs purpose to be internet police, I do hope that we'll see more best-effort protections to stem abuse. Granted this sort of a abuse is probably better fixed at registrar level.

Just switch to Let's Encrypt and be done with it. It's better and it's free.

services such as Let's Encrypt and Cloudflare have made it free and east to bring this security feature.

cPanel servers seem to be giving them out too now:
https://blog.cpanel.com/securi...
compared to Let's Encrypt:
https://letsencrypt.org/stats/
cP is probably even eastier.

Until ICANN requires those offering registrable subdomains of a domain registered in one of its gTLDs to pass the identity requirement through to their subscribers or risk getting kicked out of Mozilla's Public Suffix List and comparable lists within the ICANN-controlled .org gTLD. If your domain leaves the PSL, your subscribers won't have their cookies separated, nor will they be eligible for a healthy number of domain-validated TLS certificates from ACME CAs such as Let's Encrypt (source).

You seriously haven't heard of letsencrypt.org?

LetEncrypt is still free, if their system will work for you, and Symantec is in the process of setting up something that seems similar over at FreeSSL. Otherwise, you can get cheap certs from Comodo and GoDaddy (yeah, their rep isn't great either, but it's just a binary file when you get right down to it) - ideally via one of their resellers who will offer lower prices, and the prices go up from there. Another approach is to shop around for a suitable VPS or other hosting bundle that includes a certificate in the price, which can often work out quite cost effective. Finally, if you fit the criteria, there are some commercial vendors that offer free certificates to non-profits - e.g. GlobalSign's offer of a free certificate for OSS projects.

My webhost offers FREE SSL certificates through Let's Encrypt or you can roll your own. There's also a paid SSL certificate option.

https://letsencrypt.org/

... it's a racket for SSL authorities who charge for their certs. Unless you want to install onerous ACME software on your server. Suckage.

https://letsencrypt.org/

Ever heard of https://letsencrypt.org/ ?

The security aspect (in regards to revocation) of shorter keys is nice, but encouraging automation to make widespread HTTPS use easy is the whole point of Let's Encrypt. It shouldn't be a surprise that they set cert lifetimes to encourage automation.

Without automation, deploying secure sites is a pain: administrators have to go through tedious, error-prone manual work that the typical mom & pop business or individual website won't bother with. This maintains the status quo, with not many sites being secure.

With automation, the user who otherwise wouldn't deploy HTTPS simply clicks a button on their web host management interface and Presto!, their site has a cert. (Alternatively, HTTPS could be enabled by default for them, as it is with WordPress.com-hosted sites.) For more technical administrators, a simple command-line tool and a cronjob take care of things in seconds. Easy, and it promotes a more secure web.

There's nothing magical about 90 day certs, and the timing was chosen to be short enough to encourage automation while being long enough to allow for manual renewal if needed. Indeed, they even say, "Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes." That's fine with me: it's no skin off my back if they start making certs only valid for a week or two, as a daily cronjob manages everything.

Of course, your mileage may vary and you have your preferences. That's totally fine -- I too use non-LE certs for some internal services where automation isn't really viable -- and nobody's forcing you to use their service. It's a free internet, after all, and there's other CAs to choose from.

I don't know of any one-stop-shop (certificate issuance and backup MX service are pretty orthogonal to each other), but there's plenty of CAs out there that will issue you certificates.

This Comodo reseller sells PositiveSSL certs for ~$5/year with a validity time up to 3 years. That's about as cheap as you can get. They also offer (for the next few weeks, at least) GeoTrust, Symantec, and Thawte certs, but the costs for those are higher and they'll stop selling them in December. Comodo offers free S/MIME certs that validate only your email address, as well as paid ones that validate your email and name (if it matters). The paid ones start at $12/year.

Of course, Let's Encrypt is a good option: the certs are free and you can run any of a multitude of ACME clients (or write your own) to validate your domain, generate the key (which is made by and stays on your system), request the certificate, and install the certificate. A simple cronjob handles renewals without any interaction from you. That makes life really easy. They don't do S/MIME certs, though.

It is so over the top to stop trusting them "for evermore" because of this that it makes me thing they're trying to corner the free SSL cert marker with Let's Encrypt.

To what end? Let's Encrypt has gotten some funding from Mozilla and others, but otherwise is a separate entity run by the ISRG.

Since they don't sell any certificates (they're all free of cost) and running the service ends up costing lots of money (about $3m/year, they say), what motive would they have for "corner[ing] the free SSL cert marke[t]"?

Nothing's preventing anyone else from starting a free CA.

It is so over the top to stop trusting them "for evermore" because of this that it makes me thing they're trying to corner the free SSL cert marker with Let's Encrypt.

To what end? Let's Encrypt has gotten some funding from Mozilla and others, but otherwise is a separate entity run by the ISRG.

Since they don't sell any certificates (they're all free of cost) and running the service ends up costing lots of money (about $3m/year, they say), what motive would they have for "corner[ing] the free SSL cert marke[t]"?

Nothing's preventing anyone else from starting a free CA.

Let's Encrypt, motherfucker.

ACME CAs such as Let's Encrypt have practical problems in the following situations:

A. The website is hosted on shared hosting, and the shared host offers no way to automatically run Certbot or another ACME client to request and install a certificate. There exist ACME clients that run without superuser privilege, but a provider may offer no way for subscribers to automate uploading a certificate obtained through an ACME client. Until very recently, for example, WebFaction required to manually file a support ticket every time. And for Let's Encrypt, this would be less than two months.

B. The owner of a domain allows users to sign up for subdomains. Let's Encrypt does not offer wildcard certificates and severely limits how many certificates can be issued under a particular domain in one week (source). This has already caused problems, for example, for operators of dynamic DNS services who want to make certificates available to their subscribers.

Stop babbling about client certs.

Why?

Guess I need to get my certs moved over to someone else. Fortunately there's some other free options that look promising.

https://letsencrypt.org/

Hell, Let's Encrypt makes it a matter of downloading a program on Windows, Linux or Mac and running it. You could do that for a subdomain.dyndns.org if you could really be bothered.

As described in this post on Let's Encrypt forums, trying that would produce the following error:

Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: dyndns.org

Only five customers of a particular dynamic DNS provider can obtain certificates from Let's Encrypt in any 7-day window unless the provider applies to join the Public Suffix List, which can take weeks and can be refused.

Because of rate limiting, Let's Encrypt works only if you buy your own domain and dynamic DNS hosting. So if you sell a million appliances, you end up with a million users who each have to buy and renew a domain and buy and renew a dynamic DNS hosting plan.

a particular application that is free software or otherwise distributed without charge.

For the DIY stuff you already can just use Let's Encrypt. [...] contributing button push "Make sure the machine has an actual FQDN then press this button" one click SSL setup

The "Make sure the machine has an actual FQDN" is the hard part. Each user of an application will have to buy a domain, keep the domain renewed, buy dynamic DNS service for that domain to publish the required TXT record, and keep the dynamic DNS service renewed. Many domain registrars bundle basic DNS service with domain registration, but it's often not dynamic; a user has to edit the zone file through a web form. The application's developer can't just buy its own domain, give subdomains to users, and let all users of that application obtain certificates for those subdomains, because of the rate limit of Let's Encrypt. This means that if an application gets a million users, a million domains will need to be registered, which breaks the "distributed without charge" constraint.

It's the difference between the person whose WiFi network is named "I Can't Even" and the person whose WiFi network is named "FooCom-E5B206". The latter person probably doesn't even know what an ESSID is, and doesn't care how to change it, but auto-naming is better than the situation where every other WiFi network is called "Netgear".

But who would pay for the renewal of foocom-e5b206.net after the device's warranty expires?

Too bad nobody provides simple to install and manage certs for free that don't require a dedicated IP address then. https://letsencrypt.org/

You'll probably want a nice domain name for your app anyway, so running an internal DNS server is going to be desired anyway.

Are you referring to a model in which the publisher of the app registers a domain, such as myapp.example, and allows the app's users to obtain certificates for subdomains inside *.users.myapp.example? That'd fail as soon as the app gets at least 20 new installs per week (source: Let's Encrypt Rate Limits).

Or are you referring to a model in which each person who installs the app buys his or her own domain and sets up his or her own dynamic DNS server, making said server public so that Let's Encrypt can issue the certificate?

Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport

...meaning they caught a lot of non-Republicans in their little "sting operation". All in all, a non-news story. I'm sure they were really hoping that they'd find 10% of the people looking at porn, or something more salacious. Why call out porn and dating apps in the first place?

All this proves is that we really need encryption everywhere, and that we need to make sure it's turned on by default, so that ordinary users don't have to think about it too much (because let's face it - that will never happen). Eventually, anything that's NOT encrypted should signal a warning to the user, although the transition will need to be gradual. Services like Let's Encrypt are slowly eroding any excuses not to make everything secure by default.

In the case of these people, it's to pretend that you need them WAY more than you actually do.

Not really. There are multiple reasons why long term certs are bad: https://letsencrypt.org/2015/1...

Manual renewal is a bad habit.

You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website. This special file can only be added by root. Other than that there are multiple ACME clients available if you dont like one you can use others as well.

https://community.letsencrypt....

There is no reason to run HTTP and not HTTPS for your website traffic. If you can't buy a cert, then you can't really afford to have a website.

Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.

The Let's Encrypt intermediate certificates are cross-signed by IdenTrust, an established CA. From which major web browser's default certificate store is IdenTrust missing?

Have you heard of Let's Encrypt. It wasn't started by Google, but they're a supporter through Chrome. Let's Encrypt just issued it's millionth free certificate, with those million certs covering 2.4 million domains.

You know what is good about HTTPS these days:

- HTTP/2 using HTTPS is faster than HTTP/1.x without HTTPS and it's getting easier to deploy it. For example by using the H2O webserver ( https://h2o.examp1e.net/ ) as a proxy, it comes with built in SSL/TLS library for easier deployment and support for replicating sessions.

HTTPS itself is becoming easier to deploy and manage:

- HTTPS doesn't need a dedicated IP-address any more (older browsers/operating systems had problems with the HTTPS equivalent of 'virtual hosts'):
https://en.wikipedia.org/wiki/...

- certificates are available for free with an automatic request and renewal system. So no more messing around, you can automate it. -> with Let's encrypt Beta: https://letsencrypt.org/ and for example with acmetool: https://hlandau.github.io/acme....

There are finally ways to fight the silly CA-system, not completely, but things are improving.

For regular visitors on a site you can add headers which will prevent an other CA issuing a rogue certificate for your site.
https://developer.mozilla.org/...

http://letsencrypt.org/

"...cannot be upgraded to SSL in a practical manner"

Um, why would that be? I'm having trouble imagining.

Once upon a time, getting an SSL certificate cost $100 or so; installing an SSL certificate was a pain. Still, for any sort of web server with commercial intent, the costs and effort were negligible. I manage a site for a very small company, and it has used SSL for years. Ok, maybe it wasn't worth it for a hobbyist site.

As of a couple of months ago, with LetsEncrypt, the excuses are all gone. For the company I mentioned, I moved to LetsEncrypt this year. Even though the project is still officially in beta, getting and installing the certificate was totally painless - completely automatic. It was also free, as in beer. What possible reason is there, not to put SSL on every web server out there?

Ok, two reality checks:

- LetsEncrypt does not yet have an automatic renewal process. They believe in short-lived certificates, and at the moment that means that you have to manually renew your certificates every 3 months. That problem should be resolved in the next couple of months.

- Likely, many shared-hosting ISPs are not yet set up for LetsEncrypt. Some may even resist, because they make money selling SSL certs. A bit of market pressure should solve that problem, and likely will by the end of 2016.

Encrypt everything: your internet connection, your hard disks, your cat, everything. Not only for your own security, but also as your small contribution to the fight against overreaching governments.

It appears at least a few people have had luck with using it on Windows here, but the results certainly appear mixed and no official clients are offered.
I've not touched a Windows server since the days of 2k (and never ran SSL on it), so... I can't really provide much useful assistance I'm afraid.

Next, only content signed by "trusted" CA's?

Let's Encrypt is a trusted certificate authority. And I don't see that going away any time soon, as the division of Google responsible for Chrome is a platinum sponsor of Let's Encrypt.

Free certificates can now be gotten via https://letsencrypt.org/. Its still in public beta, but functional. For help on the how to set up encryption, LetsEncrypt's client can take care of few web servers, but for more specific instructions you would need to disclose what web server software your using.

To be approved for inclusion in pretty much any reputable application, a CA has to conform to the requirements laid out by the CA/Browser forum; see https://cabforum.org/wp-conten... -- you'll note that Section 9.6.3, bullet 5 requires the ability for the domain holder to request revocation. Let's Encrypt conforms to these requirements. While ACME requires specific authentication material to perform automatic revocation, there's a manual process in place.

From https://letsencrypt.org/reposi... : "To report private key compromise, certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to certificates, please email cert-prob-reports@letsencrypt.org."

Basically, all LE's policy says is "We're not going to make a unilateral decision about whether the content someone is hosting on their own domain is legitimate, for that way lies madness. If a domain owner needs a cert revoked, and they can't use the automated tools to revoke it, they need to send an email, and we'll take care of it as soon as we can verify that they're the rightful owner of the domain."

I'm not sure it gets much more reasonable than that.

We may be getting to the point where Mozilla, as an organization, is suffering from death throes.

As an organization, maybe they know that Firefox, their only successful product, is on its way out. It's being rejected by the market. The changes Mozilla has made to it over the past several years have been near-universally despised, and their competitors have been getting better and better. Nobody wants to use Firefox when they can get a much better experience by using Chrome, Safari, and even modern versions of IE.

Maybe they also know that none of their other efforts have seen much success. Firefox OS is a total failure. Thunderbird has pretty much been abandoned. Firefox for Android and Persona have been ignored. Rust took forever to get a 1.0 release out, and we're already seeing the hype surrounding it pretty much die off completely, now that people realize it isn't all that useful and that C++ is still a better choice. Servo is a toy, at best. Bugzilla is a relic. Let's Encrypt keeps getting delayed, from "Summer 2015" to "Mid-2015" to "September 2015" to "Q4 2015" as of today.

Then there are the political shenanigans, like how they ganged up on Brendan Eich. Nobody should have to lose his job, voluntarily or involuntarily, and regardless of his sexual orientation, merely because of his beliefs regarding marriage. I don't know what came of it, but I also remember hearing about some executive there getting worked up about some comments that were posted at reddit from an alleged Mozilla employee.

So amid this uncertainty, we see organizational flailing. We see them grasping here and there, trying to remain relevant. Yet this clearly isn't working, because of the lack of focus, and because all of this flailing totally ignores what current and potential users actually want and need.

I think it would be a shame if Mozilla became irrelevant like, say, Netscape did. But then again, maybe that wouldn't be such a bad thing. Maybe it would allow them the rebirth they need. A return to their earlier days, when they produced actually-usable versions of Firefox, instead of spinning their wheels endlessly like they seem to be doing these days.

the daemon will connect form your http server IP, and the Let's Encrypt server will check that the daemon IP

That's wrong.

Can you just request certificate signing from them, though?

It looks like they really want to run their software on your server. Software which, while open source, has access to much of your system and a continuous connection to their server.

letsencrypt doesn't plan on offering wildcard certs initially. They may do so later.

Why this /. post links to a no-name news website instead of https://letsencrypt.org/ I don't know... that information was readily available in their FAQ.

What about development though? You want to go through the PITA of setting up HTTPS for every development site?

The plan is to make it not a PITA.

This also stops you using Wireshark for seeing what data is actually being transmitted.

Turn on tracing in Apache, nginx or your browser, and continue to see exactly what data is transmitted.

I suspect that Let's encrypt is related to that issue.

The draft of the "Let's Encrypt" Certificate Policy is available in PDF here: https://letsencrypt.org/ISRG-C... Note that the PDF document's title is "Microsoft Word". I find that rather unusual for the Linux Foundation! Wasn't LibreOffice or some other Linux-available office suite good enough to write that document? I'm surprised that they are using a Windows desktop for everyday tasks such as document editing.

This is specifically about making it easy to offer an encrypted web site - so "Linux only" will mean it's available for the majority of websites in the world.

Unfortunately there seems to be a huge disconnect between what the Slashdot summary and linked article claims and what the actual Linux Foundation web page states is the goal (making encrypted websites easy to deploy). This is a much less ambitious project than the submitter thinks it is.

The technical people are actually working on this problem:

1. make it super easy to encrypt all websites:
https://letsencrypt.org/

2. In the long run:
"Marking HTTP As Non-Secure"
https://www.chromium.org/Home/...

And many, many more improvements.

Is for free cheap enough? https://letsencrypt.org/

Not if you run a small site that doesn't yet have its own dedicated IPv4 address, and you have to serve older clients that lack support for Server Name Indication, such as Internet Explorer on Windows XP, Android Browser on Android 2.x, and urllib2 on Python 2. SNI-ignorant clients can see only the first certificate on port 443 of a given IP address, not certificates associated with other hostnames on virtual hosting. A subjectAltName certificate works only if all listed hosts share the same owner, and this is unlikely on shared hosting. So you'll have to lease an IPv4 address for your site, and we're pretty much out of those.

CPU and power increase for encryption is negligible for most sites.
The real cost is getting a certificate from a site that the browser will recognize.
Those are expensive especially if you want a site for a hobbie or a supplemental income.

StartSSL offers completely free-of-cost certificates that are widely recognized by browsers to individuals and non-commercial sites. $60/year gets you an ID-verified account and the ability to offer unlimited certificates (they only charge for the validation, certificates are free). A second $60 ($120 total) gets your organization verified, again with the ability to issue unlimited certs.

Let's Encrypt, run by the EFF, will be offering free certificates (starting in 2015) with an easy automatic validation and installation system that makes the technical side of deploying certs super easy.

If, for some reason, that's not satisfactory, Comodo resellers like NameCheap offer PositiveSSL certs for less than $9/year. That's less than a beer at the local bar.

The financial cost of getting a certificate is essentially negligible.