Slashdot Mirror

← Back to Stories (view on slashdot.org)

Let's Encrypt Is Now Officially Trusted by All Major Root Certificates (bleepingcomputer.com)

Posted by msmash on from the marching-forward dept.

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.

17 of 92 comments (clear)

  1. What by Anonymous Coward · · Score: 5, Insightful

    Trusted by root certificates? That is not how root certificates work. Bad article and bad headline for a tech site

    1. Re:What by LordKronos · · Score: 4, Informative

      Wow...and on top of that, you've been moderated to -1 Troll for correctly pointing it out. For any clueless moderator who might be included to give you a -1 mod:

      Let's Encrypt is not "trusted by" root certificates***. It's more correct to say that the Let's Encrypt root certificate is now a trusted root certificate in the certificate store of all major browsers.

      *** I guess technically they are also trusted by a root certificate. Let's Encrypt's intermediate certificate is also cross-signed by CACert, which is how older browsers (versions before the root certificate was included) were previously able to trust Let's Encrypt certificates. However, that's nearly 3 year old news, and although an articles about 3 year old news is not unheard of on slashdot, that's not what this particular article is about.

    2. Re:What by OtisSnerd · · Score: 2

      Is meta-moderation still even a thing on slashdot? Maybe they just moved it to a place I can't see it, but as far as I'm aware I haven't been offered it in many years.

      You can find it here: https://slashdot.org/firehose.... After finally being offered metamod, I saved the URL.

  2. Re:Gee by Anonymous Coward · · Score: 5, Insightful

    Automate.

    Certs updates should be automated anyhow, can't count how many times I've seen corporate sites have certs expire because some one couldn't or didn't update the cert because it was a manual process...

  3. one of these things is not like the other... by Jaegs · · Score: 4, Funny

    Microsoft? Check.
    Google? Check.
    Apple? Check.
    Mozilla? Check.
    Oracle? Check.
    Blackberry? Che... wait, what?

  4. Re:Gee by Wycliffe · · Score: 4, Informative

    The relatively short length is intentional: https://letsencrypt.org/2015/1...
    It's long enough so that you *can* manually update but short enough that it's a hassle to encourage people to automate.

  5. All major OS? Forgot to get BSD. by Anonymous Coward · · Score: 2, Funny

    Netcraft confirms it, this list is dead.

  6. Let's Encrypt is great to learn automation by Anonymous Coward · · Score: 2, Informative

    Let's Encrypt is a really good setup for people who want to learn how to automate their system. While free and easy to set up (it took me about an hour to get https on my websites with it), the certificates only last 90 days, with the justification being that people should learn how to automate things.

    Since I have multiple redundant nodes which I rsync to, I had to use the --manual-auth-hook option to certbot-auto to push the challenge-response tokens Let's Encrypt uses to authenticate website. I also use Ansible to log in to all of my nodes to update the certificates once they are generated.

    Note that Let's Encrypt does log the IP of the machine used to generate the certificates; while these IPs have not been made public, the EFF keeps threatening to do so, which causes some lively discussion on the Let's Encrypt forum.

  7. Re:Let's Encrypt issues more than half of all cert by higuita · · Score: 2

    *ALL CA* are a single point of failure, it is not just let's encrypt

    --
    Higuita
  8. Re:Let's Encrypt issues more than half of all cert by Anonymous Coward · · Score: 2, Insightful

    Let's Encrypt has become a single point of failure for the majority of web sites

    I generally think of "single point of failure" as one thing breaks and it immediately takes everything else down with it. With certificates, you should be renewing them 30 days before they expire. If Let's Encrypt suddenly ceased to exist, you would have 30 days notice that they are gone, and thus 30 days to switch to a different certificate provider and continue on with zero downtime. That's not my definition of single-point-of-failure. So it's really only a single point of failure for websites whose admins can't be bothered to monitor their processes, and can't be bothered to read tech-related websites and blogs (as something like that would be posted about everywhere).

  9. MOD PARENT UP by CheeseyDJ · · Score: 3, Insightful

    Came here to say the same thing. The headline makes no sense whatsoever.

  10. Re:Gee by thegarbz · · Score: 2, Insightful

    If you can't figure out how to set cron to execute a command every 3 months then you really shouldn't be even remotely in charge of something as important as the encryption on your server.

  11. Re:Let's Encrypt issues more than half of all cert by thegarbz · · Score: 2

    Let's Encrypt has become a single point of failure

    How so? You do realise there are systems in place to handle faults in certificate issuing processes, and outside of the issuing process they are not in any way involved right?

    Before you declare something a single point of failure and a major drama, maybe define what the failure mechanism and the consequence is first.

  12. For those who do not know by houghi · · Score: 4, Informative

    Letâ(TM)s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

    So if you need an SSL certificate for cheap, you can go to them. https://letsencrypt.org/

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:For those who do not know by Anonymous Coward · · Score: 2, Informative

      Also a trojan horse for security in the internet because now with let's decrypt anyone can do MITM with a valid certificate. What good is encryption if you can no longer trust the endpoint that's receiving it. We as users should accept no less than mandatory EV everything. No DV certificates provide any assurance that who you are talking to is really who they claim to be, especially if that certificate is issued by let's decrypt

      It's amazing people still think and speak like this.
      You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.

      First you are wrong on your specific blame placing regarding MITM attacks.
      The only way to gain MITM advantage is to have access to the very server the private key resides on, as this is the only system allowed to request a cert for it.
      That is true for ALL CAs, there is nothing different with Lets Encrypt here.

      Also true for all CAs, if you have full access to the machine the private key is on, why bother with a MITM? You clearly have access to the entire data conversation at one end prior to data being encrypted. There's not many reasons to be both in the middle and also completely taking over one side. Both positions gain you access to the data in the clear, and since you need one to get the other, the only reason to do the extra work to get the other is just to "cover your bases"

      Then there is your claim on DV certs, that they don't prove WHO you are talking to is who you think it is.

      DV certs don't prove WHO they prove WHAT.
      DV certs assure you are communicating by name to the server that has that name. Nothing more, nothing less.

      In most cases that's all one needs or wants, just to know for certain that when I attempt to speak to the server at "ssl.example.org", that I'm really actually speaking with "ssl.example.org"
      If I cared about not trusting whatever person or organization is behind that server, I wouldn't want to even attempt to speak to that server let alone need to know my lack of talking to that server was happening with the right server.

      The primary reason to care what person or organization runs a server is when you are needing to send information securely *to those people*, by way of their server.

      So yes you want to know that for certain if you are sending a means of payment or sensitive personal info *to a person/organization*, only then do you need to both be assured that the server your trying to talk to is the right server AND that the server your talking to is operated by the right person/organization.

      That is specifically what EV certs are for. But that is far from the only reason one might want to secure communications, and those other reasons aren't likely to need that additional step, where a DV cert works perfectly well.

      Some of my websites exists only to provide information. They do no require or accept payment details, they do not require or accept personal information, they don't even have a login system to make an account in. Just a dump of information available to anyone that wants it.
      There is NO reason anyone needs to trust me personally, and no real reason for me to prove who I am in the real-world. So there is no reason for me to use an EV cert.
      All of that remains true even if EV certs weren't expensive, as in even if it was free there is no NEED for the one extra feature EV gains you over DV.

      People visiting my site however very well might care if anyone in the middle knows what info they got from it. DV certs prevent that just fine.
      Some of those people know their ISP would sell both the fact they visited my site AND specifics of what they looked at, usually for direct marketing ads and crap. DV solves the second of those at least, just as well as EV. Neither EV or DV would hide the fact it was my website, but does hide the URLs and contents.

      I can also say due to the nature

  13. Re:Gee by pnutjam · · Score: 3, Insightful

    Anathema to a free web? By insuring I'm talking to the site I tried to talk to and preventing eavesdropping?

    --
    Cheap storage VM.
  14. Re:Gee by Wycliffe · · Score: 2

    Im sorry, but i absolutely cannot take them seriously when they say shit like this " If we’re going to move the entire Web to HTTPS, ".

    With this stance, NO ONE should be supporting Lets Encrypt. Their philosophy is anathema to a free and open web. Enough! Lets Encrypt should be considered neutral at best, and outright harmful at worst. Im tired of it being touted as a good thing. This madness has gone too far already.

    Google has the same stance of encrypting everything. They are even starting to penalize sites that are not encrypted. I believe the idea is that if everything is encrypted then not only does it make MITM harder, it also makes it harder to distinguish between "regular" traffic and traffic a government or organization might want to monitor/restrict. As a parent who has tried to use parental controls, it does work. It's extremely hard to censor/monitor youtube because everything is now encrypted.