Slashdot Mirror

← Back to Stories (view on slashdot.org)

The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains (letsencrypt.org)

Posted by EditorDavid on from the let's-encrypt-our-subdomains dept.

Long-time Slashdot reader jawtheshark shares an announcement from the EFF's free, automated, and open TLS certificate authority at LetsEncrypt.org: Let's Encrypt will begin issuing [free] wildcard certificates in January of 2018... A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
58% of web traffic is now encrypted, Let's Encrypt reports, crediting in part the 47 million domains they've secured since December of 2015. "Our hope is that offering wildcards will help to accelerate the Web's progress towards 100% HTTPS," explains their web page, noting that they're announcing the wild card certificates now in conjunction with a request for donations to support their work.

14 of 111 comments (clear)

  1. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  2. Do you have any idea what you're talking about?! by Anonymous Coward · · Score: 2, Informative

    Sorry, I have to ask, are you just playing dumb in some failed attempt to be "funny" or "sarcastic", or are you really just ignorant about how these sorts of digital certs actually work?

    Are you really unaware of the differences between Domain Validated Certificates and Extended Validation Certificates? Are you unaware of how they're obtained? Are you unaware of how modern browsers indicate the use of such certificates to the browser's user?

    I really hope you're just trying to joke around, but failed miserably.

  3. What the fuck are you talking about?!?!?! by Anonymous Coward · · Score: 2, Informative

    Although being able to create a wildcard cert is interesting indeed. At least I will only need to have one cert reissued every 90 days instead of five.

    LOL! It's very clear that you have never actually used Let's Encrypt. It supports the subject alt name extension so that one cert can be used for multiple hosts.

    Fuck, just look at Slashdot's cert, if you're browsing this site using HTTPS. The Let's Encrypt provided cert I'm seeing used here has a CN of slashdot.org, but it also supports these names:

    apache.slashdot.org
    api.slashdot.org
    apple.slashdot.org
    ask.slashdot.org
    askslashdot.slashdot.org
    awards.slashdot.org
    back.slashdot.org
    backslash.slashdot.org
    bi.slashdot.org
    books.slashdot.org
    bsd.slashdot.org
    build.slashdot.org
    cc.slashdot.org
    classic.slashdot.org
    cloud.slashdot.org
    cmdrtaco.slashdot.org
    datacenter.slashdot.org
    design.slashdot.org
    developers.slashdot.org
    devices.slashdot.org
    entertainment.slashdot.org
    features.slashdot.org
    games.slashdot.org
    hardware.slashdot.org
    idle.slashdot.org
    images-ssl.slashdot.org
    images.slashdot.org
    info.slashdot.org
    interviews.slashdot.org
    it.slashdot.org
    jobs.slashdot.org
    library.slashdot.org
    linux.slashdot.org
    m.slashdot.org
    mac.slashdot.org
    meta.slashdot.org
    mobile.slashdot.org
    news.slashdot.org
    newsletter.slashdot.org
    partnervideo.slashdot.org
    politics.slashdot.org
    polls.slashdot.org
    radio.slashdot.org
    science.slashdot.org
    search.slashdot.org
    slashdot.org
    tacohell.slashdot.org
    tech.slashdot.org
    technology.slashdot.org
    tv.slashdot.org
    www.apple.slashdot.org
    www.hardware.slashdot.org
    www.news.slashdot.org
    www.slashdot.org
    www.tech.slashdot.org
    yro.slashdot.org

    So I don't know what the fuck you're doing talking about "5 certs". You must not know, either!

    I know the quality of the people around here has really decreased over time, but you're taking it to a whole new level of incompetence.

    Please, at least have some small idea about what you're talking about before you start shitting out nonsense!

  4. Re:90 day certificates by bill_mcgonigle · · Score: 2

    At least I will only need to have one cert reissued every 90 days instead of five.

    There are certainly some cluster-type cases where a wildcard will be handy, but in general people have used wildcard certs to make key management easier. Now that we have cron jobs/an API to do key management, I am more inclined to have multiple certs running all over the place, to isolate a break. CAA and DANE records integrated with Let's Encrypt will smooth over the potential downsides of everybody having tons of certs.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. Re:90 day certificates by Anonymous Coward · · Score: 2, Insightful

    The reason for short-lived certificates is that certificate revocation does not work and is broken beyond repair.

  6. Re:Do you have any idea what you're talking about? by toonces33 · · Score: 2

    The majority of browser users will click past any warnings about certificates without thinking about it. So I think you are correct.

  7. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  8. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  9. Re: When LE announced, but no wildcard... by Anonymous Coward · · Score: 2, Funny

    Cool story bro. What else do you predict will come to pass? Will you be my oracle?

  10. Re:Frosty pi... oh no.. by tepples · · Score: 2

    i think the news is that you won't have to spend beaucoup bucks per year for such a certificate.

  11. Re:90 day certificates by fuzzyfuzzyfungus · · Score: 2

    Isn't an isolated network that you have exclusive control over pretty much an ideal case for using your own root?

    CAs are a necessary evil when you expect to deal with 3rd parties, because they've managed to get themselves trusted by a variety of vendors and you haven't; but if it's all your stuff, you can set it to trust your root and call it a day.

  12. Re: Typosquatting by Zero__Kelvin · · Score: 2

    Certainly not standard DSL certs. You seem to think LetsEncrypt is doing something different than everyone else here other than providing free when others charge. They aren't. They are issuing non-EV certs that are just like paid for non-EV certs. I'm afraid nothing will protect an idiot from their own idiocy.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  13. Re: 90 day certificates by guruevi · · Score: 2

    In those cases any outside certificates are useless since you can't verify trust. You only need to have an Internal CA system for those sorts of setup.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  14. Re: 90 day certificates by hawkinspeter · · Score: 2

    I prefer the break-early model of LetsEncrypt. Set up your test system with free LetsEncrypt certs and then test the cron script (one-liner) for renewing. Also, the certbot client has a dry-run feature so you can check what it's going to do if you do want to do proper testing.

    With long expiry dates, you'll never get around to automating renewal and then you'll probably forget all about it and/or move to a different job and not care. Someone is then left with a ticking time-bomb of embarrassment for a domain cert running out and probably no available test system (oh, that service hasn't been touched since Fred left - no we don't know how to re-create it for test).

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe