Slashdot Mirror
Let's Encrypt Is Now Officially Trusted by All Major Root Certificates (bleepingcomputer.com)
Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.
Trusted by root certificates? That is not how root certificates work. Bad article and bad headline for a tech site
Automate.
Certs updates should be automated anyhow, can't count how many times I've seen corporate sites have certs expire because some one couldn't or didn't update the cert because it was a manual process...
Microsoft? Check.
Google? Check.
Apple? Check.
Mozilla? Check.
Oracle? Check.
Blackberry? Che... wait, what?
The relatively short length is intentional: https://letsencrypt.org/2015/1...
It's long enough so that you *can* manually update but short enough that it's a hassle to encourage people to automate.
Netcraft confirms it, this list is dead.
Let's Encrypt is a really good setup for people who want to learn how to automate their system. While free and easy to set up (it took me about an hour to get https on my websites with it), the certificates only last 90 days, with the justification being that people should learn how to automate things.
Since I have multiple redundant nodes which I rsync to, I had to use the --manual-auth-hook option to certbot-auto to push the challenge-response tokens Let's Encrypt uses to authenticate website. I also use Ansible to log in to all of my nodes to update the certificates once they are generated.
Note that Let's Encrypt does log the IP of the machine used to generate the certificates; while these IPs have not been made public, the EFF keeps threatening to do so, which causes some lively discussion on the Let's Encrypt forum.
*ALL CA* are a single point of failure, it is not just let's encrypt
Higuita
Let's Encrypt has become a single point of failure for the majority of web sites
I generally think of "single point of failure" as one thing breaks and it immediately takes everything else down with it. With certificates, you should be renewing them 30 days before they expire. If Let's Encrypt suddenly ceased to exist, you would have 30 days notice that they are gone, and thus 30 days to switch to a different certificate provider and continue on with zero downtime. That's not my definition of single-point-of-failure. So it's really only a single point of failure for websites whose admins can't be bothered to monitor their processes, and can't be bothered to read tech-related websites and blogs (as something like that would be posted about everywhere).
And we have known how to fix it since about 1988-1990 (PGP), before HTTPS was even a thing. Our entire CA system was obsolete before we started using it. Hopefully, some day we'll upgrade to 1990 tech and then identities will have multiple parties certifying them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Came here to say the same thing. The headline makes no sense whatsoever.
The unofficial reason of a short-lived certificate is that LE doesn't want to be liable in case of a certificate issue - the shorter the life, the lower the probability of some issues.
Slashdot, fix the reply notifications... You won't get away with it...
From the official announcement: "While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt. Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and we’ll need to wait for the vast majority of those to cycle out of the Web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then." So let's not hurry with the celebrations. It will take 5 year at least to happen ......
If you can't figure out how to set cron to execute a command every 3 months then you really shouldn't be even remotely in charge of something as important as the encryption on your server.
Let's Encrypt has become a single point of failure
How so? You do realise there are systems in place to handle faults in certificate issuing processes, and outside of the issuing process they are not in any way involved right?
Before you declare something a single point of failure and a major drama, maybe define what the failure mechanism and the consequence is first.
I think it increases security, credibility. Remember that those certificates are intended to provide both.
With a positive response required to keep the certificate up it means someone in charge of the certificate is actively maintaining a system and the required chain of credentials to make it all happen is being processed (Even if automated)
It means things are more likely to be legitimate, and the useful lifetime of hijacked credentials is much shorter.
Letâ(TM)s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).
So if you need an SSL certificate for cheap, you can go to them. https://letsencrypt.org/
Don't fight for your country, if your country does not fight for you.
Anathema to a free web? By insuring I'm talking to the site I tried to talk to and preventing eavesdropping?
Cheap storage VM.
Im sorry, but i absolutely cannot take them seriously when they say shit like this " If we’re going to move the entire Web to HTTPS, ".
With this stance, NO ONE should be supporting Lets Encrypt. Their philosophy is anathema to a free and open web. Enough! Lets Encrypt should be considered neutral at best, and outright harmful at worst. Im tired of it being touted as a good thing. This madness has gone too far already.
Google has the same stance of encrypting everything. They are even starting to penalize sites that are not encrypted. I believe the idea is that if everything is encrypted then not only does it make MITM harder, it also makes it harder to distinguish between "regular" traffic and traffic a government or organization might want to monitor/restrict. As a parent who has tried to use parental controls, it does work. It's extremely hard to censor/monitor youtube because everything is now encrypted.
the PRISM list.
Domestic spying is now "Benign Information Gathering"
These guys did something right and I applaud them. Much better than managing your own certificates and getting your users to accept them.
You mentioned the Wikipedia article "Web of trust". It acknowledges that getting your key signed for the first time is impractical for many. True, a key signing party will help your key become trusted in the same village. But that doesn't help you build a robust set of paths through the web of trust to users on the other side of the planet unless several people who attended the same key signing party also routinely travel internationally to key signing parties in other countries. And with the U.S. TSA and other national air travel regulators ramping up their security theater in response to terrorist threats, international travel has become more impractical over time. The terrorists have won.
That'd be fine if all major domain registrars offered a way to let a cron job update your domain's TXT records. I'm under the impression that many do not. Many dynamic DNS providers don't support TXT records at all.
You do know that nothing is easier than auto-renewing your certificate, yes? Hell, pretty much any proxy and other SSL-offloader comes with its own "how to automate LE-Cert-Renewals".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You might want to elaborate on that, it's not as obvious as you think it is.
At least to me, it ain't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Then install an offloading proxy on the machine you want to monitor and its certificate in the browser used. It ain't hard to break ssl encryption, provided you control one endpoint...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
*BSD uses Mozilla's root certificate bundle.
FreeBSD The port port security/ca_root_nss provides Mozilla roots. (Source: chatwizrd's post). NetBSD The package security/mozilla-rootcerts provides Mozilla roots. OpenBSD This libressl commit states that OpenBSD's LibreSSL library provides Mozilla roots.You shouldn't be in charge of an internet facing machine altogether...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Web browsers require HTTPS for some JavaScript APIs, even on non-Internet-facing machines such as a NAS box on your home LAN.
OOooh cut. Burn. Hisss. boooo!
Another high value post brought to you by an opportunist who was hoping no one noticed that he added nothing to the conversation.
So establishing the web could be somebody's job. Imagine if i walk into a AAA storefront, show them my ID and pay a small fee, and they sign my cert.
My bank could do the same. or 711 for that matter. Hell, the DMV ought to, establishing identification is half of their job anyway.
All i'm saying is, we could have more "web-of-trust" infrastructure then just key signing parties.
Not you, personally, you as in an addendum to your post.
Screw English and its lack of an impersonal pronoun.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Another high value post brought to you by an opportunist who was hoping no one noticed that he added nothing to the conversation.
Except he's correct.
If one explicitly choose not to automatically schedule a once-per-three-month task and perform it manually, yet can't manage to find the time or inclination to actually do so manually every three months, one would have much worse problems than your certificate expiring.
That means using the same demonstrated behavior and thinking, that person would refuse to automate system updates and security patches opting to install them manually, and then not having the time or inclination to actually manually install those security updates and system patches.
Security patches tend to get released much more frequent than once every three months as well.
By the time the certificate expires, the same system is at least three months behind on patching potentially remotely exploitable security vulnerabilities.
If one makes the choice to provide full admin/root access on your systems to any random scan bot and script kiddie that happens along, complaining that its certificate (that is no longer actually protecting anything) has expired isn't a priority.
Let's Encrypt depends on the TXT record for the dns-01 challenge. It does not for the http-01 challenge; it instead depends on having a public-facing web server as opposed to one behind the firewall.
yet can't manage to find the time
Who said that? Must have been that magical person who can edit Slashdot posts.
English speakers use "one" or "someone" as the impersonal pronoun. For example, your comment could be reworded as follows: "Someone who can't set up a cron job shouldn't be in charge of an Internet-facing machine altogether."
So establishing the web could be somebody's job.
I believe that job is called a notary. And you're right that a notary firm operating in multiple villages would have the resources to build the web beyond one geographic area.
Hell, the DMV ought to, establishing identification is half of their job anyway.
Even so, good luck getting that, or any other new duties of the DMV, past the minarchists in the Republican Party of each U.S. state.
It's Google's fault for trying to strong-arm HTTPS-only.
It's not even only Google. Mozilla is on the same track of deprecating cleartext HTTP, according to its HTTPS FAQ from May 2015.
And yet people are able to get X.509 certs signed, and we even have things like LetsEncrypt. The evidence suggests getting signatures isn't really all that hard, since 100.0% of the websites that implement HTTPS somehow managed to do it.
So why stop at 1? The only people who come out ahead by us having single point of failure, are the attackers. I think we should move from a pro-attack to a pro-defense strategy, though I guess we should let the people at NSA, FSB, Chinese government and the Mafia weigh in on this before we make any hasty decisions.
I linked to the WoT article to inspire/remind people to think about the robustness of multiple parties attesting to an identity instead of just one, as well as how you decide how much to trust any one given CA. (Which is something nobody does today.)
What if one of the many signatures expires?
What if one of the many certifiers disagrees with the others, due to malice or mistake?
The WoT beats the living shit out of what we're doing today. It degrades gradually and more slowly when faced with simple failures, and it requires conspiracies (instead of someone coercing one single party) to undermine it. Perhaps that's why we don't use it: because it would be more secure, inconveniently too secure when you need to spy on someone. Or perhaps it's because people want to pretend that your confidence is either 0% or 100%, in spite of the fact that nothing ever really works like that.
Actually some people do that (an international path through the WoT isn't that uncommon) but you're right that what happens today in PGP's WoT often isn't enough, and it really wouldn't be enough for everyone.
But I wasn't suggesting that the faceless companies that you currently fully trust (hey someone, remind me: why?), have to be left out and replaced by amateurs, as somehow turned out to be the case with PGP. If we implemented the web's PK like PGP did it, then you could still have your cert signed by Verisign and LetsEncrypt and Comodo and your neighbor and your bank and state government and those people you lifted pints with at the conference bar. Sure beats having a single point of failure. Imagine your LetsEncrypt signature expired then. Imagine Comodo fucked up again. Imagine your own government told Verisign to lie or your neighbor was trying to MitM you. Instead of these being disasters where thousands of people have to scramble to minimize downtime, it would be a minor nuisance, detected quickly ("hey, one of these CAs disagrees with all the others..."), and with reputation ramifications.
The catch is that we'd have to start valuing defense more than attack.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
yet can't manage to find the time
Who said that? Must have been that magical person who can edit Slashdot posts.
This post said that:
"Gee, now if the certs would last longer than Trump's attention span, Let's Encrypt could actually become useful. At this point, they should rename it "Let's Momentarily Encrypt.""
That being the person you responded to, saying:
"If you can't figure out how to set cron to execute a command every 3 months then you really shouldn't be even remotely in charge of something as important as the encryption on your server."
That being the post Opportunist expanded upon, adding to your reply to them with:
"You shouldn't be in charge of an internet facing machine altogether..."
That being the post you responded to with insults and claiming it wasn't an addition:
"Another high value post brought to you by an opportunist who was hoping no one noticed that he added nothing to the conversation."
It is clear you're having problems following a conversation thread, obviously mistaking his statement as directed at you, instead of what actually happened being he expanded on your statement directed to the same person you replied to.
This brings us to my reply saying his addition was correct and explaining in detail why that is.
(You know, slashdot has a thread view mode for this)
The only reason the first person would even mention the cert validity time being short is if they didn't automate the renewal, so they clearly didn't automate it.
The only reason the first person would complain about the short time, already shown not to be automated, is if it was a problem.
Manually renewing it, though silly, also does work when you do it. One only complains if they don't or can't, so they clearly are not doing so.
The proper solution is to automate the renewal, just like you pointed out, solving the "even mentioning it" part.
The proper solution to not manually renewing it, aka maintaining the system, is to not be in a system admin role, as Opportunist pointed out, solving the "complaining" part.
Is this really all that confusing?
You are literally making personal attacks directed at those of us confirming your original statement here. Are you attempting to argue we are wrong or something?
If so, being we are expanding upon and reconfirming what you yourself originally said, wouldn't us being wrong also make your statement wrong? Why did you post it then?
If you are not attempting to say we are wrong, then why the hostility?
Most automatic renewal options attempt renewal in advance of the expiration, so there's time to get notified and resolve any issues before the current cert expires.
DMV? Good one. I just had the experience of 'proving' something to the DMV (NY). I needed to provide 2 'proofs of residence'. My mailing address is a PO box, as the wonderful USPS does not deliver to homes in our town. One of the proofs I had was my water/sewer bill. The bill has 'YOURTOWN WATER/SEWER DISTRICT' printed across the top, and had my address (street and house) listed as 'service to property'. The genius at the DMV would not accept that, because the 'service address' did not have the town listed. Exactly what town do they think 'Yourtown water/sewer district' serves?
But it gets better. They gave me a form, which could be used to 'prove' my address. This form could be filled out by anyone, including my spouse, saying that I lived at the address I said I did. The person filling out the form doesn't have to appear in person, and the form doesn't even have to be notarized. Not sure how that proves anything.
Oh, and another form of 'proof' that they will accept? 'A computer printed pay statement'. Man, who could ever forge one of those?
What I do is on the main nameservers I set up NS records for the _acme-challenge subdomains that points to my own nameserver (BIND) used only for this purpose. Then I have a simple script that updates the TXT record in these zone files. Works like a charm. I can share it if you think it's useful.
-IOVAR Web Dev Platform
The issue is they think that all websites should be encrypted and are working to that end. I should not need a third party cert to deploy a website on the web, period. Use them if you want, they are great, but the idea that all the web must be purged of clear HTTP is utter stupidity and i cannot support that.
Good-bye
I put my process on github: https://github.com/VirgoVentur...
-IOVAR Web Dev Platform
Like I don't block that shit...
Cheap storage VM.
Thanks for posting your process. But do dynamic DNS providers even allow NS records?
Shoot, that's a good question. I'm not too familiar with the third-party providers since I host my own DNS and simply wanted an easy way to renew without having to modify the processes connected to my main nameservers. I put my scripts on github, maybe they can still be useful: https://github.com/VirgoVentur...
-IOVAR Web Dev Platform