Slashdot Mirror
Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com)
100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog:
[S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...
Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "
The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "
The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
The verification is performed by software, the same as any other CA. Less frequent renewals would not result in more through vetting.
This is my signature. There are many like it, but this one is mine.
I've spent better part of a day to explain to My Mom how to distinguish a safe website from unsafe one. You look at the Green Bar / Lock. Is it green? you are good to give them your name and CC details.
Now I'm going to her and have to explain, that no, things have changed
No, nothing has changed about what that green bar means: encrypted connection. You pushed a false idea on to your mother, an idea that companies planted and you blindly accepted.
Anons need not reply. Questions end with a question mark.
The S stands secure and has always stood for that. Her CC number will be securely sent to the server in question. Again, LetsEncrypt changes nothing about how all this works. You have no clue. If she connects securely to trumpuniversity.com or does so through http she will get scammed either way. Read the hundreds of other posts here where everyone else already understands this. Time to admit to mom you aren't the ubergeek you let them think you are I'm afraid. Off you go now ...
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You're making assumptions about what "secure" means in this context. It means the communications are secure from 3rd parties. That doesn't mean the website you're communicating with isn't evil. It never has.
> Now I'm going to her and have to explain, that no, things have changed, if you see a green padlock, it no longer means someone at least had to fax some registration papers and pay few bucks so he's traceable.
Things have been changed for a LONG while then. I've been able to get SSL certs with a credit card and no verification outside of an email address from a major vendor since 2009. A wildcard at that.
NBow I have to explain to her that 'S does not stand for Secure
Of course it stands for "secure". You can rest assured in the comfort that when you type your Paypal password in at https://www.payypall.com/ I or anyone else other than the operators of the scam site are unable to see your password.
Validation of companies was not part of getting an SSL certificate, not until 2005 anyway when the EV certificate was introduced. And it wasn't long after that browsers started displaying EV details differently which is why when I go to https://www.payypall.com/ I see a green lock, but when I go to https://www.paypal.com/ I see "Paypal Inc, [US]" written in the address bar.