mersenneforum.org  

Go Back   mersenneforum.org > Math Stuff > Tales From the Crypt(o)

Reply
 
Thread Tools
Old 2016-01-20, 04:30   #1
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

101010100102 Posts
Default Let's Encrypt project

Anyone heard of the Let's Encrypt project before?

Seems like a laudible goal of (eventually) encrypting all web traffic by handing out free certificates.

Just found out about it in my web-hosts monthly newsletter as they are working on incorporating it into their own web panel for ease of deployment (despite the fact that they already sell certificates for $15 / year!).
lavalamp is offline   Reply With Quote
Old 2016-01-20, 05:01   #2
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

55216 Posts
Default

A few clicks and I have certificates for my domain and some sub-domains. Very nice.

https://2721.hddkillers.com/graph/
https://oeis.hddkillers.com/

I use Dreamhost for anyone wondering. I assume it would take more clicks and running some commands if you were to do this process manually.
lavalamp is offline   Reply With Quote
Old 2016-01-20, 09:02   #3
Nick
 
Nick's Avatar
 
Dec 2012
The Netherlands

2×3×293 Posts
Default

Yes, but obtaining a certificate is not about convenience but about security.

How does their protocol block the obvious attacks?
Nick is online now   Reply With Quote
Old 2016-01-20, 11:42   #4
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

2·3·227 Posts
Default

Quote:
Originally Posted by Nick View Post
Yes, but obtaining a certificate is not about convenience but about security.
Of course, but the ability to quickly acquire one, (and for no cost!) will only serve to increase their use.

Quote:
Originally Posted by Nick View Post
How does their protocol block the obvious attacks?
What protocol? They are merely functioning as a certificate authority.

Last fiddled with by lavalamp on 2016-01-20 at 11:44
lavalamp is offline   Reply With Quote
Old 2016-01-20, 12:57   #5
Mini-Geek
Account Deleted
 
Mini-Geek's Avatar
 
"Tim Sorbera"
Aug 2006
San Antonio, TX USA

102558 Posts
Default

Quote:
Originally Posted by Nick View Post
Yes, but obtaining a certificate is not about convenience but about security.

How does their protocol block the obvious attacks?
https://letsencrypt.org/howitworks/technology/

To get a certificate, you have to put nonce content out at a nonce URL off the root of the site. The most obvious attack I see is that if your site allows users to put arbitrary content at an arbitrary URL (off the root, not under a /user or /wiki path), then an attacker can potentially get a Let's Encrypt cert for your site and impersonate you. I can't think of any site that would allow such an attack (the closest is something like Pastebin with their short URLs, but those are random, you can't specify the URL you want), but I'm sure they exist somewhere. I'd expect that you could get Let's Encrypt to revoke the cert when you realize you've been compromised.

Another possible attack would be if an attacker could set itself up as a man-in-the-middle on the insecure HTTP connection to your site, so that they can return the nonce at the right time.

Another attack vector has already been seen in the wild, where "ad.[legitimate domain].com" was registered by the advertisers. This has a smaller impact, though, since they can't impersonate "[legitimate domain].com" with that.

Last fiddled with by Mini-Geek on 2016-01-20 at 13:06
Mini-Geek is offline   Reply With Quote
Old 2016-01-20, 13:53   #6
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2×23×137 Posts
Default

If it is free (for the user) then who is actually paying for it? Is this a loss leader? Do they intend to get you hooked then charge you later to renew or something?

Last fiddled with by retina on 2016-01-20 at 13:53
retina is online now   Reply With Quote
Old 2016-01-20, 14:59   #7
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

2×3×227 Posts
Default

Check the sponsors page for who is footing the bill.
https://letsencrypt.org/sponsors/

While they don't disclose exactly how much sponsors have donated, there are minimums for each level listed here:
https://letsencrypt.org/become-a-sponsor/
lavalamp is offline   Reply With Quote
Old 2016-01-20, 15:10   #8
Nick
 
Nick's Avatar
 
Dec 2012
The Netherlands

2·3·293 Posts
Default

Apparently, it is an implementation of the ACME protocol in this IETF draft:
https://ietf-wg-acme.github.io/acme/

My initial impression is that the traditional protection offered to clients by TLS/SSL against hacking at the level of DNS and Internet routing would seem to be reduced for the convenience of the system administrators of the servers.
I hope someone proves me wrong!

Last fiddled with by Nick on 2016-01-20 at 15:14 Reason: Link updated
Nick is online now   Reply With Quote
Old 2016-01-20, 15:21   #9
CRGreathouse
 
CRGreathouse's Avatar
 
Aug 2006

3×1,993 Posts
Default

Quote:
Originally Posted by retina View Post
If it is free (for the user) then who is actually paying for it?
It's a nonprofit organization receiving over $2M in annual funding (just from looking at the sponsor page).

Edit: Lavalamp beat me to it, I missed that.

Last fiddled with by CRGreathouse on 2016-01-20 at 15:36
CRGreathouse is offline   Reply With Quote
Old 2016-01-20, 18:02   #10
Nick
 
Nick's Avatar
 
Dec 2012
The Netherlands

2×3×293 Posts
Default

In the early years of SSL, Certification Authorities took their due diligence very seriously. You had to talk with them on the telephone and prove the legal existence of your organisation (amongst other things) before they would issue a certificate.

And we took our checks on them seriously, too, for example with The Global Internet Trust Register as a (printed) book:
http://bookshop.blackwell.co.uk/jsp/.../9780262511056

I have just been told that many CA's now do all their authentication checks only via the Internet. In that case, the checks done by anyone implementing ACME are not so different from what the others do (and certificates in general are correspondingly less trustworthy in my opinion...)

Last fiddled with by Nick on 2016-01-20 at 18:04 Reason: Clarification
Nick is online now   Reply With Quote
Old 2016-01-26, 17:43   #11
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

31·107 Posts
Default

Quote:
Originally Posted by Nick View Post
In the early years of SSL, Certification Authorities took their due diligence very seriously. You had to talk with them on the telephone and prove the legal existence of your organisation (amongst other things) before they would issue a certificate.

And we took our checks on them seriously, too, for example with The Global Internet Trust Register as a (printed) book:
http://bookshop.blackwell.co.uk/jsp/.../9780262511056

I have just been told that many CA's now do all their authentication checks only via the Internet. In that case, the checks done by anyone implementing ACME are not so different from what the others do (and certificates in general are correspondingly less trustworthy in my opinion...)
I signed up for the Lets Encrypt beta program at some point last year. It's a pretty decent effort.

All it is is a free SSL CA. It took time to get their signing certs tied into the chains that exist in all browsers and OS's, mostly because any CA wishing to do that has to undergo some rigorous examinations to make sure they're secure, to the point where their own original root CA is physically disconnected from anything and locked away securely.

In terms of the security level, it comes down to the level of effort the CA puts into verification.

Back in the day when I worked at a place that actually needed SSL (accepted credit cards online), we went all in and purchased annual certs that were nearly thousands of USD per year, but they verify we are who we say we are. Although it mostly came down to sending certified letters on corporate letterhead, signed by a recognized officer of the company.

Cheaper certs will simply email the address listed in the DNS record for that domain.

It wasn't until later when browsers actually differentiated the level of authentication by showing different lock icons in the address bar. But that's basically what those mean... just how much effort they put into the validation.

Lets Encrypt does the basic DNS verification... nothing more. It's good enough, and it's low cost to them.

As for why would these companies would sponsor it in the first place, the big investors like Akamai and Google (erm, Alphabet) have been pushing SSL for years. Google also has their big thing about making the web faster, and SPDY / HTTP 2 require SSL so providing free basic certs goes along with that.

Personally I think they only required SSL for those protocols because of their desire to encrypt everything anyway... there's no real reason they need to be encrypted to work, and in fact you can test them without SSL but browsers don't allow that by default. Oh well.

If you still want a cert with higher validation you can still pay for it.

There have been other free CA's previously (and still are) but I was never impressed with any of them, and some of them had somewhat shaky cert chains that weren't broadly supported. So I'm kind of happy that some big players are doing this...

In the end I suspect it will still probably be the mom and pop websites that don't really *need* SSL but can get one for free now, so they might as well. "mersenne.org" would be a prime candidate (honestly, no pun intended there) because any website that accepts logins should not be doing so in plaintext.
Madpoo is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Special project #3b - Project 400 schickel Aliquot Sequences 307 2011-10-28 01:29
Special project #3a - Project 300 schickel Aliquot Sequences 29 2011-08-12 17:45
Possible new project for RPS robert44444uk Riesel Prime Search 1 2010-04-30 22:01
pi(x) project ATH Miscellaneous Math 4 2006-08-30 17:59
new project ? junky NFSNET Discussion 14 2004-06-03 08:59

All times are UTC. The time now is 13:20.


Fri Dec 3 13:20:01 UTC 2021 up 133 days, 7:49, 0 users, load averages: 1.86, 1.42, 1.29

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.