Let's Encrypt enters public beta: free HTTPS certificates for everyone!


#1

[Read the post]


#2

Are these self signed certs, or issued by a trusted root with chain? if the latter then this is a game changer.


#3

They’re issued by a trusted root. The goal is to make TLS encryption so easy that it’s on by default.


#4

NSA penetration of their signing back-end in 3, 2, 1…


#5

You read the link, right?

They are in a trusted chain with a root (not theirs).


#6

I’m not too knowledgeable here, but is there any downside? If any scammer can get a certificate, can they use them to do harm?


#7

CAs may have a harder time scamming people for stupid amounts of money for trivial work?

All the certs do is allow you to encrypt communications to the server (like we’re doing right now).


#8

I thought I had. I now see that in the footer. I admit that I skimmed and got lazy… :smile:

seriously though, this is really an amazing thing!
nice to have a happy win like this for the internet.


#9

These are just certs that enable SSL on a domain. I think it may be possible someone could manage to get a certificate for someone else’s domain if they found a way to redirect the DNS for a period of time, but even then the certs don’t include ownership information so browsers (firefox, at least, haven’t tried others) may show a warning… and it would be a whole lot of work for very little payoff.


#10

What would that accomplish, though? They still wouldn’t be able to decrypt the actual traffic, only sign new certs pretending to be the CA. But the NSA already has control of plenty of CAs, so why compromise this one specifically?


#11

I skimmed it even more carelessly. What’s this about Rusted Root being involved?


#12

I have a better idea: http://cacert.org . Still not widely accepted, but it’s much further along and by joining it, you can build on an existing and substantial chain of trust.


#13

The biggest difference is that CAcert certificates are not trusted by any major browser out of the box, while those from Let’s Encrypt are.

Of course you can install the missing root certificates on your own system, but that won’t help you if you are operating a website aimed at the general public.


#14

I’m not entirely sure how CaCert is “much further along”. They’ve been trying to work towards passing an audit for years, and their most recent update a few days ago states a goal of doing it “within the next years”. Since that’s what is holding up their acceptance in browser trusts, it’s not really a minor thing.

CaCert’s a great idea, and I’d love to support them, but with the lack of browser acceptance and the hoops you have to jump through to be verified (at least, last time I checked) it’s definitely not nearly as user-friendly as Let’s Encrypt.

On the other hand, CaCert is more general-purpose than Let’s Encrypt, so I do hope they manage to get past the roadblocks they’ve been running into.


#15

So what benefit, if any, does a hugely expensive EV cert from, say, Comodo over these free certs?


#16

I haven’t read the article, but if listening to security podcasts and reading documentation and books and articles has served me any: You HAVE to self-sign the certificates (so they can’t be tampered with) and your certificate, in order for it to be acceptable to the various programs (browsers, ftp clients, SSH clients, etc) that use it, ALSO needs to be signed by a certificate authority/chain.

The very neat thing about Let’s Encrypt is that, for basic HTTPS certs, this should be all automated now and free. Yay!


#17

Well, as @albill pointed out, you get to support vampiric swindlers. That’s sexy, right?

Depending on which one you pick, they may or may not spend money on influencing elections.

Comodo’s also got the bonus feature of having been rated “F” on a scale of F to A+ by the Better Business Bureau, and being the primary provider of certs for criminal phishing operations. Even Verisign can’t beat that record!


#18

Actually, the signing cert is an intermediate cert signed by the letsencrypt root cert, and cross-signed by another CA. They did this because the letsencrypt root cert is not in a sufficient number of popular browsers (yet) to stand alone. As time passes and letsencrypt proves even more trustworthy than they have, their root cert will be trusted by default by the commonly used clients like Mozilla and Chrome and so on.


#19

Yes, I know.

Coworkers (and former ones) of mine set up Let’s Encrypt.

I guess I could have been clearer with how I said it. The effective root isn’t theirs though.


#20

Extended Validation certs (I have experience with the ones provided by Symantec) are only supposed to be signed and issued after the CA has done extra due diligence - in the case of Symantec, they check DBA and other business records, and generally require a callback to the domain owner. I guess that’s worth something - how much is up to you to decide.