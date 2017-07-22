Let's Encrypt Criticized Over Speedy HTTPS Certifications (threatpost.com) 50
100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...
Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "
The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."
Strawman criticism (Score:4, Insightful)
The fact that Chrome and FF use their own cert stores and update them unilaterally without the user ever knowing is absurd.
The browser should use the cert store on the OS. And the OS should update the certs. (And when MS updates certs, it should optionally present detailed info to the user about changes.)
The entire concept of CAs is built around trust in an environment where none of the actors and powers that be are trustworthy.
My boss recently got an ESL certificate from a reputable tier-1 vendor. The validation was a complete joke: A guy with bad English asked him some questions over the phone that anybody could have found the answers to with a bit of work. The only security in place for ESL certs is that they are not that cheap, but that does not help against a targeted attack, because they are not really expensive either.
The bottom line is that certificates weakly ensure one thing: You are still talking to the same site on the next visit. They also ensure that small-time criminals will find it somewhat difficult to eavesdrop. And that is about it. In many cases, self-signed certificates will be more secure than that. The whole certificate-system is a bad joke, created by the utterly incompetent with too much trust and then corrupted by state-sponsored malicious actors. Incidentally, this is not a surprise. Basically all what is broken with the system now was predicted by perceptive people decades ago.
Well of course ESL resulted in bad English
"We're mad because Let's Encrypt makes it way too easy for the plebs to get a certificate without paying hundreds or thousands of dollars per year to a CA."
Now I'm going to her and have to explain, that no, things have changed, if you see a green padlock, it no longer means someone at least had to fax some registration papers and pay few bucks so he's traceable. I can already see conversation going: - So you're saying that the green bar no longer means website is ok?
- Yes. Now it has to be a green padlock and a name of the organization, and you have to check it with magnifying glass because it's very easy to mistake l with I. see Mom, there's difference between AlliorBank and AIIiorBank. Do you see it? Do you?
- So you're saying that the green bar no longer means website is ok?
- Yes. Now it has to be a green padlock and a name of the organization, and you have to check it with magnifying glass because it's very easy to mistake l with I. see Mom, there's difference between AlliorBank and AIIiorBank. Do you see it? Do you?
I think a lot of these phishing problems are caused by people blinding following email links from "their bank" and not learning how to directly browse to a website (instead trusting Google to give them the valid link by searching for their bank's name). There's a pretty easy solution to this: Make a bookmark of the correct site and only use this bookmark to access the bank's site. Will that stop a DNS-based attack? No. But it will be effective against what a large percentage of what causes people to enter t
- So you're saying that the green bar no longer means website is ok?
- Yes. Now it has to be a green padlock and a name of the organization, and you have to check it with magnifying glass because it's very easy to mistake l with I. see Mom, there's difference between AlliorBank and AIIiorBank. Do you see it? Do you?
I think a lot of these phishing problems are caused by people blinding following email links from "their bank" and not learning how to directly browse to a website (instead trusting Google to give them the valid link by searching for their bank's name). There's a pretty easy solution to this: Make a bookmark of the correct site and only use this bookmark to access the bank's site. Will that stop a DNS-based attack? No. But it will be effective against what a large percentage of what causes people to enter their credentials on the wrong site.
Exactly. I taught my Dad to actually go to the bank web site and never trust links in email, etc. Then you can look for the green lock symbol.
I've spent better part of a day to explain to My Mom how to distinguish a safe website from unsafe one. You look at the Green Bar / Lock. Is it green? you are good to give them your name and CC details.
Now I'm going to her and have to explain, that no, things have changed
No, nothing has changed about what that green bar means: encrypted connection. You pushed a false idea on to your mother, an idea that companies planted and you blindly accepted.
and I'd maybe even agree with you if not for the fact that that it says 'Secured' Right there when I click that green lock. Not 'Encrypted', 'Secured'.
All I want is to have encrypted connections. Why do I have to pay a shit-ton of money for connections to my server to be properly encrypted and not to be treated like a criminal by browsers? Let's Encrypt does this. Yes, they're not verified very well; neither are standard SSL certificate (I know; I bought some with pretty much zero verification).
One big reason for the volume of certificate issuance is that LetsEncrypt forces you to update your certificates at least once every 90 days. This means that the number of certificates issued is guaranteed to be at least 4x the number that would be issued by a traditional CA, and realistically, more like 12x or even 20x.
So yes, they should be criticized, but they should be criticized for the ridiculously short certificate expiration times that result in them issuing so many certificates each day, not for
That's not entirely true. Other CAs require the owner of the domain to confirm the validity of the request via email. The 90-day renewal period makes that approach more difficult, because nobody would be willing to go through that headache every 90 days. Instead, Let's Encrypt just checks to see if you've managed to convince the registrar or the DNS server to point the domain name at your server. So while they might not choose to do more validation even if there were longer validation periods, they woul
That silly policy decision inherently limits the amount of verification that they can do, so even if they wanted to do more, they can't.
How? They are domain-verified certs that are issued by an automated process. How does changing their expiration date change anything?
Either you encourage encryption everywhere and make it easy to get a cert, or you stop nagging people every time they go to a plain http site and say http is just fine.
Pick one.
HTTPS is meant to ensure that your communications are secure. They can help protect you from hitting a site that isn't what it claims to be.
But issuing certs is not some magical means of "vetting" ANYTHING. The very idea is absurd. Anybody should be able to buy and get signed a cert for a site they own. It isn't anybody's job to ask
Calling BS on this. There is nothing inherently wrong with issuing certs. Regardless of who issues those certs, they can only be used to create a secure identified connections between a user and a server.
They definitely do not facilitate criminality any more than Apache2 does. This is just pure silliness. There's nothing wrong here. Bad guys can get certs from other sources just as easily as anyone else. They can get them from Let's Encrypt, too. So can everyone else. A certificate doesn't facilitate illegal activity. It's just for a secure connection.
Something tell me there's more to this than simply crying wolf about bad guys getting certs easily. Someone obviously would prefer that web hosts, big and small, don't get cheap (or free) certs to secure their connections from prying eyes.
While the justification might be 'bad guys are abusing this,' I'm still calling BS. Someone (or some *cough* three letter agency) is annoyed that people can easily secure their servers.
I'd go as far as to say, Let's Encrypt is having precisely the effect it sought to have. More secure connections on all HTTP traffic across the web. Anyone can TLS up their servers now with very little effort. Good job, Let's Encrypt, you're having a profound and ultimately awesome effect on the web's privacy and shielding from prying eyes. And that effect is a good one, especially when people are crying 'omg it's too easy to get certs now!' Good. Nothing like a very secure connection to give the middle finger to three letter agencies.
The problem here has nothing to do with encryption and everything to do with the fact that companies have pushed the idea that if a connection is encrypted that the site is legitimate. The only thing that encryption does is ensure you connection cannot be spied on. The idea that encryption should be reserved for certain people is patently absurd.
Stop telling people that encryption equates to legitimacy and the problem is resolved.
Lets Encrypt verifies ownership of the domain. If you see the secured indicator in the browser, its a gaurantee that your actually talking to the server of the people who own that domain. So, if people watch out for the right domain as well as the secured indicator, it provides additional safety. So, people need to know the domains of critical sites they might use, and look carefully at that domain name. This is true as well, if there were no TLS being used. TLS provides additional gaurantees you really are