Let's Encrypt Is Now Officially Trusted by All Major Root Certificates

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.

Re:Gee

[Wycliffe]

The relatively short length is intentional: https://letsencrypt.org/2015/1...
It's long enough so that you *can* manually update but short enough that it's a hassle to encourage people to automate.

Let's Encrypt is great to learn automation

Let's Encrypt is a really good setup for people who want to learn how to automate their system. While free and easy to set up (it took me about an hour to get https on my websites with it), the certificates only last 90 days, with the justification being that people should learn how to automate things.

Since I have multiple redundant nodes which I rsync to, I had to use the --manual-auth-hook option to certbot-auto to push the challenge-response tokens Let's Encrypt uses to authenticate website. I also use Ansible to log in to all of my nodes to update the certificates once they are generated.

Note that Let's Encrypt does log the IP of the machine used to generate the certificates; while these IPs have not been made public, the EFF keeps threatening to do so, which causes some lively discussion on the Let's Encrypt forum.

For those who do not know

[houghi]

Letâ(TM)s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

So if you need an SSL certificate for cheap, you can go to them. https://letsencrypt.org/

Re:For those who do not know

Also a trojan horse for security in the internet because now with let's decrypt anyone can do MITM with a valid certificate. What good is encryption if you can no longer trust the endpoint that's receiving it. We as users should accept no less than mandatory EV everything. No DV certificates provide any assurance that who you are talking to is really who they claim to be, especially if that certificate is issued by let's decrypt

It's amazing people still think and speak like this.
You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.

First you are wrong on your specific blame placing regarding MITM attacks.
The only way to gain MITM advantage is to have access to the very server the private key resides on, as this is the only system allowed to request a cert for it.
That is true for ALL CAs, there is nothing different with Lets Encrypt here.

Also true for all CAs, if you have full access to the machine the private key is on, why bother with a MITM? You clearly have access to the entire data conversation at one end prior to data being encrypted. There's not many reasons to be both in the middle and also completely taking over one side. Both positions gain you access to the data in the clear, and since you need one to get the other, the only reason to do the extra work to get the other is just to "cover your bases"

Then there is your claim on DV certs, that they don't prove WHO you are talking to is who you think it is.

DV certs don't prove WHO they prove WHAT.
DV certs assure you are communicating by name to the server that has that name. Nothing more, nothing less.

In most cases that's all one needs or wants, just to know for certain that when I attempt to speak to the server at "ssl.example.org", that I'm really actually speaking with "ssl.example.org"
If I cared about not trusting whatever person or organization is behind that server, I wouldn't want to even attempt to speak to that server let alone need to know my lack of talking to that server was happening with the right server.

The primary reason to care what person or organization runs a server is when you are needing to send information securely *to those people*, by way of their server.

So yes you want to know that for certain if you are sending a means of payment or sensitive personal info *to a person/organization*, only then do you need to both be assured that the server your trying to talk to is the right server AND that the server your talking to is operated by the right person/organization.

That is specifically what EV certs are for. But that is far from the only reason one might want to secure communications, and those other reasons aren't likely to need that additional step, where a DV cert works perfectly well.

Some of my websites exists only to provide information. They do no require or accept payment details, they do not require or accept personal information, they don't even have a login system to make an account in. Just a dump of information available to anyone that wants it.
There is NO reason anyone needs to trust me personally, and no real reason for me to prove who I am in the real-world. So there is no reason for me to use an EV cert.
All of that remains true even if EV certs weren't expensive, as in even if it was free there is no NEED for the one extra feature EV gains you over DV.

People visiting my site however very well might care if anyone in the middle knows what info they got from it. DV certs prevent that just fine.
Some of those people know their ISP would sell both the fact they visited my site AND specifics of what they looked at, usually for direct marketing ads and crap. DV solves the second of those at least, just as well as EV. Neither EV or DV would hide the fact it was my website, but does hide the URLs and contents.

I can also say due to the nature

Re:What

[LordKronos]

Wow...and on top of that, you've been moderated to -1 Troll for correctly pointing it out. For any clueless moderator who might be included to give you a -1 mod:

Let's Encrypt is not "trusted by" root certificates***. It's more correct to say that the Let's Encrypt root certificate is now a trusted root certificate in the certificate store of all major browsers.

*** I guess technically they are also trusted by a root certificate. Let's Encrypt's intermediate certificate is also cross-signed by CACert, which is how older browsers (versions before the root certificate was included) were previously able to trust Let's Encrypt certificates. However, that's nearly 3 year old news, and although an articles about 3 year old news is not unheard of on slashdot, that's not what this particular article is about.