The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains

Long-time Slashdot reader jawtheshark shares an announcement from the EFF's free, automated, and open TLS certificate authority at LetsEncrypt.org: Let's Encrypt will begin issuing [free] wildcard certificates in January of 2018... A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
58% of web traffic is now encrypted, Let's Encrypt reports, crediting in part the 47 million domains they've secured since December of 2015. "Our hope is that offering wildcards will help to accelerate the Web's progress towards 100% HTTPS," explains their web page, noting that they're announcing the wild card certificates now in conjunction with a request for donations to support their work.

Frosty pi... oh no..

[gibbsjoh]

Damn, I thought I was going to get first post AND call out a dupe, but damnit I was beaten!

1 out of 2 ain't bad.

"Haven't we seen story this before?"

-JG

Re:Frosty pi... oh no..

Been using wildcard certs for over a decade. Why this is news?

If they want to improve things change it so a company only needs to buy for one top level domain (mycompany.com) and any depth of subdomains from that can use the cert (mycompany.com, test.mycompany.com, env1.qa.mycompany.com, etc...).
 

Re: Frosty pi... oh no..

[dougdonovan]

100% https...3 times...Internet, Intranet & Extranet supported via VPN...gotta keep the vendors happy.

Re: Frosty pi... oh no..

Yep, 42% is more secure. (not trolling, btw)

Think about it. Seriously, think about it.

Re:Frosty pi... oh no..

[tepples]

i think the news is that you won't have to spend beaucoup bucks per year for such a certificate.

Re: Frosty pi... oh no..

Can't do that, multi level wild card is a limitation of https itself. Upgrade the RAM!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Good stuff

[DaMattster]

I just don't see why it has to wait until January of 2018 to implement.

Re: Good stuff

[Zero__Kelvin]

Because they have to implement the support and test it. I'm sure they would love to sprinkle magic faerie dust and it would just work, but that isn't how technology works ... unless you are Agile. Agile is magic faerie dust.

Re: Good stuff

[Excelcia]

openssl ca -cert ourcertificate.crt -keyfile ourkey.key -in request.csr -out issuedcertificate.crt

It's not magic. It's actually pretty easy. In fact, if anything, they will be ripping out functionality. Since openssl (which they are almost assuredly using on the back end) doesn't give a wet snap about wildcard domains, they will have had to make their UI filter them out. Any one of us could do the UI change in a day.

No, the lead-in time isn't technical, it's likely marketing. Wildcard certificates are the one thing we all want - I get mine from cacert, which is less than ideal considering they have been dragging their feet for years. They are using that demand to generate revenue (donations). So they give a six month lead in, increase the hype, gives time to get the word out and whet people's appetite.

Re: Good stuff

[Zero__Kelvin]

That was the most stupid and uninformed post I have seen in quite some time. Checkout (clone) the certbot code and look at it. You will start to see why you look like such a fool right now to anyone with a clue.

Re: SSL-certificates used to mean more than encryp

Let's call such certificates EV certificates

Do you have any idea what you're talking about?!

Sorry, I have to ask, are you just playing dumb in some failed attempt to be "funny" or "sarcastic", or are you really just ignorant about how these sorts of digital certs actually work?

Are you really unaware of the differences between Domain Validated Certificates and Extended Validation Certificates? Are you unaware of how they're obtained? Are you unaware of how modern browsers indicate the use of such certificates to the browser's user?

I really hope you're just trying to joke around, but failed miserably.

Re:Do you have any idea what you're talking about?

Just so you know, in both Chrome and Firefox both DVC's and EVC's will both show up as green lock icons.

" Are you unaware of how modern browsers indicate the use of such certificates to the browser's user? "

Oh, and Donald Trump is a fucking traitor, so there's that.

Free certificates...

[__aaclcg7560]

I pay $15 per month for VPS web hosting at DreamHost and get "Let's Encrypt" certificates for free on my domains and subdomains. Other options included self-signed (free) and Comodo (paid) certificates.

Re:Free certificates...

[i.r.id10t]

Seems you like over paying. linode.com has a similar vps for $5/mo. $10/mo doubles that...

Re:Free certificates...

[qubezz]

You can also go away, advertising. Anybody can get Let'sEncrypt certificates for free for their domain, that's the whole point.

Re:Free certificates...

[spire3661]

Amazon Lightsail, and Digital Ocean both offer $5/mo tiers as well. (20 GB SSD, 512 MB RAM, 1 TB transfer).

Re:Free certificates...

Yeah but if you click on me website link to subscribe to dreamhost I get more revenue stream. Please visit me website and click on dreamhost link. You also get free cerificates!
-cremier
Please visit me website and click dreamhost link! https://www.cdreimer.com/slash...

Re: SSL-certificates used to mean more than encryp

LOL at the ignorance.

EV certificates are your extra tier.

EFF = Electronic Frontier Foundation. I don't see them risking their credibility by freely providing back doors.

You've clearly never applied for a LE certificate if you think they don't check anything.

I can only assume you're trolling.

90 day certificates

What the fuck is the point of the ridiculously short expiry? Was it done that way just to inflate the numbers of certs issued just for stories like this?

It just makes no sense. Wastes time and energy.

They could easily "accelerate the Web's progress towards 100% HTTPS" - by fucking issuing certificates with a sensible expiry.

Yes, where I have used them I have automated the renewal process, but still what the fuck is the point of wasting my time with that shit?

Letsencrypt will continue to lack any credibility until they abandon this retarded policy.

Re:90 day certificates

[fluffernutter]

Obviously these certs aren't as secure as other certs, and the purpose of the short expiry is to put a hard limit on any exposure to 90 days. I agree it's annoying and this is why I haven't made an attempt to use these certs yet. Although being able to create a wildcard cert is interesting indeed. At least I will only need to have one cert reissued every 90 days instead of five.

Re:90 day certificates

[chispito]

Yes, where I have used them I have automated the renewal process, but still what the fuck is the point of wasting my time with that shit?

I'm trying to figure out how an automated process wastes your time. Can you explain?

Re:90 day certificates

[bill_mcgonigle]

Letsencrypt will continue to lack any credibility until they abandon this retarded policy.

Dude, you are lacking credibility here if you don't understand why long-lived certs are a problem for security. For small businesses, the main reason not to do a short cert, given letsencrypt's cron jobs, is for a wildcard cert, which is expensive, and now that is being solved. For personal websites, wildcards are generally not used. Enterprises have the option of syncing their client and server certs, for authentication purposes, or buying a long-lived cert.

FYI, Google can afford whatever it wants and has been using 90-day certs for a while too. You should write to them and tell them they lack credibility on Internet security. :P

Re: 90 day certificates

Setting up the automation is a tedious manual process, unless you're running an extremely basic web server setup. Even then there is always the chance of the automation breaking in some way. It's worth spending a few bucks to get a cert that expires well into the future, and not having to worry about automation.

Re:90 day certificates

[bill_mcgonigle]

At least I will only need to have one cert reissued every 90 days instead of five.

There are certainly some cluster-type cases where a wildcard will be handy, but in general people have used wildcard certs to make key management easier. Now that we have cron jobs/an API to do key management, I am more inclined to have multiple certs running all over the place, to isolate a break. CAA and DANE records integrated with Let's Encrypt will smooth over the potential downsides of everybody having tons of certs.

Re:90 day certificates

The reason for short-lived certificates is that certificate revocation does not work and is broken beyond repair.

Re:90 day certificates

[fluffernutter]

Obviously you don't work in a corporate environment that is totally isolated from the internet. Both outgoing and incoming traffic not allowed unless absolutely necessary. Certainly no cron jobs allowed to pull things down when they like.

Re:90 day certificates

[FrankHaynes]

*I* have such systems deployed and would love to read your solution for this problem of isolated/insular nets that require Internet access for authentication.

Re: 90 day certificates

It doesn't work because google decided the time that is needed for revocation checking (the whole 300ms of it) is making the users perceive chrome being slow, and oh noes they had to outpiss Firefox for the user perception of fastest browser

Re: 90 day certificates

[Brockmire]

A fucking cron job is tedious? Seriously? It's copy and paste for fuck sakes. The only problem I have is reusing the certs in programs that you paste the cert and key instead of pointing to the files. One of these days I'll figure out the sed syntax and do that through automatic post processing script when renewing certs automatically. It'll take 5 minutes to google the sed syntax and test it out. Maybe 10 and reused on many servers. Tedious? Umm, no.

Re:90 day certificates

[fuzzyfuzzyfungus]

Isn't an isolated network that you have exclusive control over pretty much an ideal case for using your own root?

CAs are a necessary evil when you expect to deal with 3rd parties, because they've managed to get themselves trusted by a variety of vendors and you haven't; but if it's all your stuff, you can set it to trust your root and call it a day.

Re:90 day certificates

Well maybe someone should also tell Google that it is unfair that they get to use self-signed certs while everybody else is not allowed to.

Re:90 day certificates

It's only annoying if you ignore all the tools for automating the issuing of certificates and do it manually.

Re:90 day certificates

Such an environment is irrelevant to a discussion about renewing letsencrypt certificates. Letsencrypt is for internet facing hosts. The automated verification process requires reachability. If you're isolated from the internet, create your own CA certs and push them out to the clients, or pay someone to do a labor intensive sneakernet audit of your legitimacy before issuing certificates to you.

Re: 90 day certificates

[guruevi]

300ms? That's for the network latency on some CAs alone. Checking revocation, if at all possible since many CAs simply don't have the infrastructure up and running, can take several seconds to verify the entire chain which often contains 3-5 chained certificates, if the CA doesn't respond, this could easily be a full minute before your certificates have been verified without even a proper response on the condition.

If Google were concerned about latency, they could simply do the lookups on their end and cache the results.

Re: 90 day certificates

[guruevi]

In those cases any outside certificates are useless since you can't verify trust. You only need to have an Internal CA system for those sorts of setup.

Re:90 day certificates

I wish they'd do a better job of publicizing that. I've found that claws mail seems to have a real hard time dealing with the changed certificates and figuring out if the new ones are legit is a pain. Whereas with Thunderbird, it never seems to notice that there's a new cert, which seems a bit suspicious.

Re: 90 day certificates

(Not the same AC)

Setting up automated Let's Encrypt renewal is really easy in a single-server setup. I've been involved in setting up LE automation for dynamic distributed multi-site multi-server systems and in those cases LE is not particularly simple and easy to use. It's doable. I've done it and it works. But it's far from just running the acme client and you're done.

Re: 90 day certificates

(and to clarify, multi-site in that context means multiple geographically separated and not always fully connected sites)

Re: 90 day certificates

[hawkinspeter]

I prefer the break-early model of LetsEncrypt. Set up your test system with free LetsEncrypt certs and then test the cron script (one-liner) for renewing. Also, the certbot client has a dry-run feature so you can check what it's going to do if you do want to do proper testing.

With long expiry dates, you'll never get around to automating renewal and then you'll probably forget all about it and/or move to a different job and not care. Someone is then left with a ticking time-bomb of embarrassment for a domain cert running out and probably no available test system (oh, that service hasn't been touched since Fred left - no we don't know how to re-create it for test).

Re: 90 day certificates

Fucking cron doesn't exist anymore in systemd land, you have to use a fucking timer script and a fucking service script.

CNN is fake news

Death to CNN. Long live the new flesh.

Re:Do you have any idea what you're talking about?

Just so you know, in both Chrome and Firefox both DVC's and EVC's will both show up as green lock icons.

You neglected to mention that additional information is shown right next to the lock icon for EV certs. For example, both browsers can show a company or organization name, followed by a country code.

It makes sense to show both lock icons as green. In both cases the connection is encrypted, which is perhaps the most basic level of "security" within this context.

It also make sense to indicate that EV connections provide slightly more certainty by showing some additional information, such as an organization name and country code.

I don't know what point you're trying to make, but it's likely a load of bullshit.

Re:Do you have any idea what you're talking about?

It's likely you missed the point, yes.

Re:Do you have any idea what you're talking about?

Are you really unaware of the differences between Domain Validated Certificates and Extended Validation Certificates? Are you unaware of how they're obtained? Are you unaware of how modern browsers indicate the use of such certificates to the browser's user?

I suspect the majority of browser users are unaware of those things.

What the fuck are you talking about?!?!?!

Although being able to create a wildcard cert is interesting indeed. At least I will only need to have one cert reissued every 90 days instead of five.

LOL! It's very clear that you have never actually used Let's Encrypt. It supports the subject alt name extension so that one cert can be used for multiple hosts.

Fuck, just look at Slashdot's cert, if you're browsing this site using HTTPS. The Let's Encrypt provided cert I'm seeing used here has a CN of slashdot.org, but it also supports these names:

apache.slashdot.org
api.slashdot.org
apple.slashdot.org
ask.slashdot.org
askslashdot.slashdot.org
awards.slashdot.org
back.slashdot.org
backslash.slashdot.org
bi.slashdot.org
books.slashdot.org
bsd.slashdot.org
build.slashdot.org
cc.slashdot.org
classic.slashdot.org
cloud.slashdot.org
cmdrtaco.slashdot.org
datacenter.slashdot.org
design.slashdot.org
developers.slashdot.org
devices.slashdot.org
entertainment.slashdot.org
features.slashdot.org
games.slashdot.org
hardware.slashdot.org
idle.slashdot.org
images-ssl.slashdot.org
images.slashdot.org
info.slashdot.org
interviews.slashdot.org
it.slashdot.org
jobs.slashdot.org
library.slashdot.org
linux.slashdot.org
m.slashdot.org
mac.slashdot.org
meta.slashdot.org
mobile.slashdot.org
news.slashdot.org
newsletter.slashdot.org
partnervideo.slashdot.org
politics.slashdot.org
polls.slashdot.org
radio.slashdot.org
science.slashdot.org
search.slashdot.org
slashdot.org
tacohell.slashdot.org
tech.slashdot.org
technology.slashdot.org
tv.slashdot.org
www.apple.slashdot.org
www.hardware.slashdot.org
www.news.slashdot.org
www.slashdot.org
www.tech.slashdot.org
yro.slashdot.org

So I don't know what the fuck you're doing talking about "5 certs". You must not know, either!

I know the quality of the people around here has really decreased over time, but you're taking it to a whole new level of incompetence.

Please, at least have some small idea about what you're talking about before you start shitting out nonsense!

Re:What the fuck are you talking about?!?!?!

[fluffernutter]

Feel free to go through my comments over the past years and feel free to point out anywhere I claimed I was an expert in anything, so I'm not going to apologize nor do your criticisms really register with me.

Anyhow, the idiotic comments aside; that's interesting I will have to look into it. Perhaps this will help me with the $50 cert I currently have registered. I was under the mistaken assumption that wildcards were the only way to make it accept various hostnames. I assumed that it was limited in this way because it was the cheapest cert I could find.

Re:What the fuck are you talking about?!?!?!

Look for a multi-domain cert. Not everybody sells them at any price. With some vendors it is single hostname or wildcard only. In some cases, a wildcard is actually cheaper.

Re:What the fuck are you talking about?!?!?!

[fluffernutter]

I was ready to spend $50 CDN on a cert. Couldn't find anything multiple-hostname for that.

Re:Do you have any idea what you're talking about?

[Antique+Geekmeister]

I'm afraid that to the average user, there is no difference. The little "green" label or "locked" icon continues to indicate that the certificate is valid and the user has little reason, and not many resources, to verify that they are dealing with a validated but fraudulent, SSL certificate. Even automated tools that mirror content, such as for git repositories or software repositories, can be fooled by such certificates.

Re:Do you have any idea what you're talking about?

[Antique+Geekmeister]

> The little "green" label or "locked" icon continues to indicate that the certificate is valid

I need to revise this. Some browsers provide additional indicators that a certificate has "extended validation". But the ordinary user simply does not care nor will they notice.

Re:Do you have any idea what you're talking about?

[toonces33]

The majority of browser users will click past any warnings about certificates without thinking about it. So I think you are correct.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Good idea, but...

[ErichTheRed]

LetsEncrypt is a good idea because it makes certificates accessible to a wider range of users. I've been doing systems engineering work for quite a while, but haven't really concentrated on web stuff. When I got involved with a public-facing web project at work lately, I noticed there really is a lot to the TLS system and certificates once you get beyond internally-trusted certificates. Most places did the legwork for certificate acquisition years ago, but setting something up from scratch requires that you know a little bit about how things work, and it costs money. Even the cheap CAs want a few hundred for a wildcard certificate - so if LetsEncrypt allows people to use HTTPS by removing the cost factor, then this is a good move. They already make the issuing process much simpler than going through a traditional CA.

The only thing I do see happening is the "regular" CAs charging more for real, verified certificates, and the whole trust factor possibly being diluted:
- Real CAs that do validation will see that it's now free to get any kind of certificate and raise their prices...creating a kind of "trustworthy TLS" system in parallel with the "free and easy" one. It's reasonably easy to stand up a PKI and hand out certificates from a technical perspective, but the process around how the PKI is operated is the thing that actually creates trust.
- The whole TLS system and the chain of trust is based on the fact that CAs don't just issue certificates to anyone who asks. This will probably force anyone wanting to do things like take payments into EV certificates where they previously could have gotten away with DV ones. DV certificates only validate that you have control over the domain, and EV ones are only issued after the CA does reasonable legwork to make sure you're an authority in your organization.

Re:Good idea, but...

Let's Encrypt /is/ a "real CA that does validation". Their ACME protocol (which is on the IETF Standards Track path, ie it will become an RFC with "Proposed Standard" at the top, and eventually years from now it'll say "Internet Standard" at the top) is about how the client requesting a certificate can prove their control over an Internet FQDN like www.example.com

Let's Encrypt's automated system is actually much better quality than the ad hoc validation systems which were in use at some of those "real CAs" you're talking about. In fact three of the "10 Blessed Methods" introduced to try to raise the bar on validation are deliberately based on how Let's Encrypt does it.

Real world example: Earlier this year a famous CA discovered that an error in a script they'd written meant that they were counting a validation as "successful" if upon requests http://www.example.com/$randomToken they got /any/ response which mentioned $randomToken, including a 404 saying "$randomToken not found". When it was pointed out that even with the bug "fixed" this method was hopelessly insecure they got rid of it entirely, so prop for that, but until then it had been in this state for years.

For comparison the Let's Encrypt validation that's most similar (ACME challenge http-01) requires that the server respond to http://www.example.com/.well-known/acme-challenge/$randomToken with a signed-JSON response proving that the server knew the private key used to make the certificate request.

Re:SSL-certificates used to mean more than encrypt

CAs haven't been particularly trustworthy for a long time. How many times have we seen CAs compromised or acting in bad faith, such that the browsers had to issue patches removing them from their trusted lists?

The whole idea of centralized certificate authorities is fundamentally broken.

Let's Backdoor

The first obvious concern is that agencies have these keys and can impersonate sites. Given domestic espionage, that wouldn't be a problem limited to these guys, know doubt every provider of certificates has been forced to hand over their root certificates to allow man-in-the-attacks.

The next concern is that encrypted traffic masks alterations performed in man-in-the-middle attacks. That is, you can't tell by looking at the wire that Party A's and Party B's Google results page are not the same when they should be.

We need to get away from web-of-trust and probably any of the current cipher suites too.

Re:Let's Backdoor

Such an impersonation attempt _unavoidably_ create a paper trail.

The NSA and similar agencies are all about _deniability_ which means they don't want a paper trail. It doesn't matter that you guess what they do, so long as you can never prove it. But with TLS certificates you'd be able to prove it because the whole edifice relies on signed documents, any of which would be evidence.

So no, they probably aren't doing that.

Re: Do you have any idea what you're talking about

[Zero__Kelvin]

The certificate guarantees that if you were trying to connect to fraud.com that you in fact connected to fraud.com and there is no man in the middle. It works as intended, you simply don't know what it does. No cert guarantees that once you connect to TrumpUniversity.biz Donnie won't screw you deeply.

What about cacert,org?

[bib1620]

Why not just fucking use cacert.org? let's encrypt do not give a running fuck who use their certificates, even criminals as they have already stated.

Re:What about cacert,org?

CACERT's root is not in the major browsers. This can be a disadvantage. Yeah, criminals can use Let's Encrypt but that is why they don't do any organization validation. If an e-commerce site is using a Let's Encrypt cert, don't buy from them.

Re:What about cacert,org?

[tepples]

Why not just fucking use cacert.org?

Last I heard is that they didn't have the finances to do the sort of third-party auditing that the CA/Browser Forum requires.

Re:Do you have any idea what you're talking about?

[mi]

and Extended Validation Certificates

This is great, I had no idea, these existed... Thanks.

... failed miserably

The word "miserably" is overused.

Re: When LE announced, but no wildcard...

Cool story bro. What else do you predict will come to pass? Will you be my oracle?

Re:Do you have any idea what you're talking about?

[tepples]

AC #54769865 probably believes that a web browser ought to be showing the same sort of interstitial before a cleartext HTTP site or an HTTPS site using a domain-validated certificate that it shows before an HTTPS site using a self-signed certificate. This interstitial would make it clear that the user is visiting the website of an entity other than an established business.

Typosquatting

[tepples]

The certificate guarantees that if you were trying to connect to fraud.com that you in fact connected to fraud.com

Then what makes it clear to Bank of America account holders that "bankofarnerica.com" (that's ARNERICA) isn't the site they're looking for?

Re: Typosquatting

[Zero__Kelvin]

Certainly not standard DSL certs. You seem to think LetsEncrypt is doing something different than everyone else here other than providing free when others charge. They aren't. They are issuing non-EV certs that are just like paid for non-EV certs. I'm afraid nothing will protect an idiot from their own idiocy.

Re: Typosquatting

[Zero__Kelvin]

Fucking phone!!! Clearly that is supposed to say SSL not DSL.

Re:Typosquatting

[fnj]

Then what makes it clear to Bank of America account holders that "bankofarnerica.com" (that's ARNERICA) isn't the site they're looking for?

Their eyeballs looking at the URL in the address bar, and their brain interpreting the text, makes it clear. Unfortunately, as in your example, it can be pretty subtle, and if UTF-8 URLs catch on, it becomes downright impossible, as UTF-8 has multiple code points which render indistinguishable from each other in various fonts.

Re: Typosquatting

[tepples]

You seem to think LetsEncrypt is doing something different than everyone else here other than providing free when others charge.

I'm aware of what a DV SSL certificate does and does not do. Others aren't. Or they are but want browsers to display a more conspicuous indication of lack of organization validation for certificates that are only DV, such as an interstitial.

Re: Typosquatting

[Zero__Kelvin]

Right. That is why you asked a question that made it clear that you didn't know. Off you go now ...

Re: Typosquatting

Make Arnerica Great Again!

Re:Typosquatting

[hawkinspeter]

For me, NoScript provides decent protection against that. If I've visited the correct site previously, then I would've white-listed JavaScript for that domain (and possibly a couple of their related domains). Then, if I visit the fraudulent domain, no JavaScript would run and the chances are that the site would look very different.

SSL certs are not primarily for identifying that you've visited the correct domain (as in the one that you think you were connecting to), but are to prevent man-in-the-middle attacks and ensure end-to-end encryption.

Use sneakernet or an internal CA

[tepples]

You have two options on an air-gapped network:

A. Every two months, sneakernet CSRs to a machine that isn't air-gapped, run the ACME DNS challenge on that machine, and sneakernet the certificates back to the air-gapped network. The one thing you can't do if both the server and the client are air-gapped is OCSP.

B. Set up an internal certificate authority, and deploy its root certificate throughout the internal network. This may fail in Android 7, which distrusts user-installed root certificates unless each application's publisher explicitly opts in to trusting user-installed root certificates.

Re: When LE announced, but no wildcard...

Cool story bro. What else do you predict will come to pass? Will you be my oracle?

Your mother is my oracle.

Re:Duration

[tepples]

Let's Encrypt offers certificates for as long as your automatic renewal cron job continues to run, provided that your domain also remains paid-up.

Re:SSL-certificates used to mean more than encrypt

[phantomfive]

Since the 1990s, the world has realized that actually, we want to have all our web traffic encrypted. Why? Because with the advent of wifi, launching a MITM attack is too easy. There are plenty of good reasons to encrypt traffic, which is why everyone uses ssh, not telnet.

"Trust" turned out to be not a big of problem as everyone feared. Most of the time when I go to Amazon.com, it really is the real Amazon. In fact, it's never not been the real Amazon. However, it still is a real problem, and once traffic is encrypted, we'd also like to be able to know that websites are who they claim to be. It has never been a solved problem, though.

Re:Do you have any idea what you're talking about?

Ever hear the story of the boy who cried wolf?

There are too many warnings, and it's getting harder and harder to tell what they are warning about. You really have to be intentional, and DIG into the warning to tell. This was a valid cert, but it expired yesterday. This is a self-signed cert, and you need to be certain you are at the right place. You went to example.com, but the cert is for www.example.com. You went to example.com, but the cert is for badguy.com. All generate the same warning on the surface, and you have to almost be a cert expert to figure out what the problem is.

streamline the process

I always find it amusing that EFF has such a huge push for SSL Certs yet they make their free Cert CA the hardest of any web issuing CA's on the market to utilize.

Re:*.great!

sounds great! I might sign up as I have no excuse in 2018, apparently. Would like better linux support though, not just Ubuntu and a few others.

100% HTTPS??

[spire3661]

There is no fucking need for EVERYONE to be running HTTPS.

Re:100% HTTPS??

Yes, yes everyone should be running HTTPS. There is NO reason for any internet connected device to be communicating using HTTP. HTTP is a primary target for "enrichment", redirection and other payload manipulations. HTTPS is the only way to go.

There is no reason not to use HTTPS. The days of low CPU devices are LONG gone. Recent technology improvements such as QUIC and HTTP2 (over tls) are encrypted by default. QUIC eliminates the round trip time for TLS setups- it's easily as network efficient as HTTP.

Re:100% HTTPS??

[spire3661]

ITs not about CPU usage. Certs add a huge administration overhead, and need to be maintained. A static webpage with some contact info does not need HTTPS. Further, i REALLY dont like the idea that is starting to shape up that if you dont have a cert, you shouldnt be on the web. HTTPS is a tool for SOME jobs, not all HTTP, everywhere. That is just plain retarded. I shouldnt have to get permission from a third party to run a dead simple webpage. There ABSOLUTELY 100% are reasons to not need HTTPS. You are a fool.

Re:100% HTTPS??

You don't need to beg for cert from anyone, The problem now is that browsers grumble about self-signed certs. They are exactly what is appropriate for encrypted but not authenticated communication. HTTPS should be used everywhere.

Re:100% HTTPS??

If you think doing Let's Encrypt is too hard then you have not tried it (it's really easy) or don't know how and should just go to any webhosting company that will do LE for free. Because if you're the former then it's definitely not a huge admin overhead and is easily maintained by various free clients, and if you're the latter your self administered web facing host will no doubt be part of a botnet zombie in the future.

There's also the argument of herd immunity as well if everyone is encrypted, which strips off any suspicion of visiting a https enabled webpage (hey he's visiting a secure webpage, must be dodgy!). It also reduces the chance someone will be supplying sensitive data unencrypted (there's a whole laundry list really to argue for this).

In short HTTPS (mostly) everywhere is definitely achievable and should be a goal for privacy and security.

Re:100% HTTPS??

[hairyfeet]

Glad to see I'm not the only one going "WTH?". I mean can anybody explain to me why the static page I'm looking at with 70s Mego figures NEEDS to be HTTPS? How about the one I'm looking at with the history of Squier guitars? Anyone? Beuller?

For every page that could use HTTPS I'm sure there are at least 1000 where it makes no damned sense at all. If the page is static, you don't log into anything there, its just good old txt and jpg...what good is HTTPS gonna do it?

Re:100% HTTPS??

A static webpage with some contact info does not need HTTPS.

Yes, actually it really does need HTTPS, unless you enjoy being MITM'd and getting whatever bogus contact information your ISP or your neighbor wants you to see.

Re:100% HTTPS??

According to the snowden documents, because it used strictly http and avoided https, for a long time three letter agencies manipulated the slashdot.org website when it was viewed by network administrators at large corporations when they were on their break. They planted exploits in the traffic to infiltrate the admin and their network. They were specifically targeting I.T. administrators in that campaign in order to slip exploits into products and services used by Americans and increase spying capability. This is just one of many examples of why http traffic shouldn't be tolerated on the web, even for something as simply reading the news. If you think your data isn't important enough to encrypt, you're probably wrong.

Re:100% HTTPS??

Ever had a page injected with malware by an intermediary mitm (ISP, Chinese Firewall, etc.)?

Given your position I guess not, but a lot of people have, and it would be selfish to deny these people safe browsing to the sites of their choice, simply because you haven't personally experienced the need (yet).

The Chinese Firewall thing really happened, BTW, and led to innocent web users all over the world partaking in a DDOS of GitHub - purely because they happened to browse to a website over unencrypted HTTP.

Re:100% HTTPS??

[hawkinspeter]

In general, that kind of page doesn't need to be encrypted.

However, encrypting connections to websites makes it harder for bad guys to sabotage someone's connection to the website and injecting malware/ads etc. A free and easy to get and use SSL cert provides some protection for very little cost, hence the push to get as much of the web encrypted as possible.

There's also an issue where people might be trying to analyse traffic and it could be of some advantage for them to know when you're visiting "secret encrypted" sites versus "ordinary http" sites. Encrypting everything by default can hope to allow some anonymity.

Re:100% HTTPS??

[spire3661]

I dont believe in an internet where you need blessing from a third party to participate.100% HTTPS as the system is currently implemented is outright folly. Let me easily self-sign and ill be more on-board.

Re:100% HTTPS??

[hawkinspeter]

Self-signing is easy enough but has security issues. The client has no way to determine who did the signing - it could be the website owner or it could be a man-in-the-middle.

Using HTTPS everywhere is more about protecting client computers (and their data) rather than needing a third-party's blessing. LetsEncrypt is a major step in lowering the barrier to let everyone run HTTPS easily and for free. It's designed to be easy to automate, so all you have to do is set up your web server to allow the specific challenge/response mechanism to verify that you have control of the domain. Then a one-line command is all you need to get your certificate in seconds. Point your webserver at the new certs and away you go. Renewal uses the same challenge/response system, so you just leave the relevant section in your config and you're ready for automated renewal.

Re:100% HTTPS??

[spire3661]

Again, i dont believe in a web where you need a third party to vett you to participate. Its an INCREDIBLY ugly road. I like the HTTPS initiative, but i hate hate hate people pushing 100% HTTPS. We are all trained in absolutes and exceptions here, dont you think 100% HTTPS could have some nasty downsides?

Re:100% HTTPS??

[hairyfeet]

Uhhh we haven't been seeing MITM attacks in ages, hell I can't even remember the last time...what we are seeing is state actors which HTTPS ain't gonna do shit about. As McAffee rightly pointed out "Its not the connection to the device its the devices themselves that we are finding are being infected at the source, their production."

And you still haven't answered the other guy who rightly points out why having the Internet require third parties to "vet you" is a BAD IDEA, hell look at Facebook and Twitter censoring and banning those on the right while not saying shit about the "I wish jews and whites would just die!" BLM activists to see why its waaaay too easy for someone to use such a system to push a narrative.

So far you have only offered a nebulous "there MIGHT be a threat maybe" as a positive while completing ignoring a LOT of downsides...sorry but your arguments so far are quite weak and wholly unconvincing...care to try again and answer some of the downsides? Because I'm sure that even you would admit a company like "lets encrypt" run by a whole bunch of companies that have either been caught bowing to governments in the past (Cisco) or make their money spying (Google) is more than a little "problematic".

Re:100% HTTPS??

[hawkinspeter]

Nope. A simple analogy would be to use the postal system. Imagine that HTTP is like people sending each other postcards. Anyone can read them whilst in transit and also alter them. HTTPS would be equivalent to everyone sending letters in sealed envelopes (maybe with old-time wax seals on them). Now I understand that you don't want to be funding the BIG envelope corps, but here's an initiative that provides free envelopes (although they bio-degrade after 90 days which some people think is awkward).

The biggest problem with HTTPS is that it uses more CPU and prevents caching, but CPU usage isn't really a problem these days.

Re:100% HTTPS??

[hawkinspeter]

I've seen MITM attacks at several wifi hotspots. Airports are a particular favourite place for people to set up a rogue hotspot and grab loads of credentials. To be honest, the safest way to use hotspots is to encrypt everything by using a VPN, but at least HTTPS will give you some warning (invalid certificates) if you do connect to a rogue hotspot without using a VPN.

I'm not understanding the "vetting" issue with LetsEncrypt - they don't do anything except determine that you have control of the domain. It's automated, so there's no-one deciding whether or not to issue a cert. Even if they did refuse to issue a cert, then you can get one from elsewhere.

I don't really get why people are against encryption - can you clarify "LOT of downsides" for me?

Re:100% HTTPS??

I see MITM attacks all the time. Especially hotspots, especially official ones (communal wifi, railways, Starbucks), trying to spoof SSL certificates. I have no idea how many of these go unnoticed, because somehow they are able to present a "valid" cert for the domain. So HTTPS alone is not the solution.

Ramnode

I've been using Ramnode. They offer a $5 tier with similar specs as Linode, but I got the cheaper $15 / year option. It's pretty great, I didn't think I could afford a VPS.

I've been using Dreamhost for years, and I've been pretty happy with them, but to save myself some money I intend to switch over to Ramnode or maybe Linode or maybe one of these other inexpensive VPS hosts. I've been happy to pay extra for Dreamhost's shared hosting features, but I can get them all and more with a VPS, and Dreamhost just does not have competitive VPS prices.

Great change !

I love this, as until now I had to issue a single certificate for each subdomain.
SAN wasn't possible because:
1. we don't want to leak which customers we have to other customers, each customer gets it's own subdomain
2. moving a VM from one server to another with a different IP would require to change all SAN certificates as we are slightly over the 100 domain-limit

Re:Great change !

3. Adding new clients and subdomains every 1-2 days would require to recreate the whole certificate every 1-2 days ..

Re:When LE announced, but no wildcard...

Whose awesome? Your awesome!

Re:Donald Trump is a traitor.

Please show some actual evidence of your statements. The only selling to Russia with any credibility was Hillary's uranium deal to the Russians.