Why Let’s Encrypt is a really, really, really bad idea…

Dashrender

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Are you saying to spend money just because you can?

Curtis

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Are you saying to spend money just because you can?

I’ll PM you my address @Emad-R - feel free to send as much money as you would like

stacksofplates

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

Emad R

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

DustinB3403

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

So do you use any free and open source software, if so and you're making money you had better stop now and start paying someone for some software so you can make less money.

Dashrender

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.

The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.

DustinB3403

Security through obscurity is the same as Security at Airports. It's Security Theater it's a means of trying to put on a show of security without actual security to deter people from attacking your site/airport/whatever.

I'd much rather have a cert renew on demand for free or every few days for free than to wait 2-5 years before going to check if a new cert is required.

Obsolesce

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.

The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.

The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.

DustinB3403

@Obsolesce Yeah, which it's then onto the user who says "whelp I know this website is doing something differently, so let's just click ignore and continue".

At least with an automated cert renewal/replacement system like LE, the entire process should never get to the point where a user has to jump through these hoops.

Dashrender

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.

The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.

The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.

Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.

And of course, this only matters once you know your key has been stolen and it's then revoked. I just heard this morning that NASA discovered an APT inside their network that's been there over a year. Now sure - NASA, a government agency, so we can't likely consider them to have good security, but still. The Bleachwood hotel chain had an APT for like 5 years (don't recall exact amount of time), etc, etc.. so the chances of finding an APT that stole your key seems less like a certainty.

Obsolesce

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.

If the crl cannot be reached, the cert is not trusted and basically the same thing.

Dashrender

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.

If the crl cannot be reached, the cert is not trusted and basically the same thing.

No, that's definitely not true. as I said - most, if not all browsers - fail open in the case where they can't reach the crl.

https://scotthelme.co.uk/certificate-revocation-google-chrome/

Obsolesce

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.

If the crl cannot be reached, the cert is not trusted and basically the same thing.

No, that's definitely not true. as I said - most, if not all browsers - fail open in the case where they can't reach the crl.

https://scotthelme.co.uk/certificate-revocation-google-chrome/

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are "on the order of months," a Google spokesman said.

Same thing but different. Google Chrome will be Google Chrome.

stacksofplates

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

No that won't increase security. The security here is that the data is encrypted. Even self signed certs are secure from the fact that they encrypt the data. People conflate the encryption with the validation that the site is owned by who they think it should be owned by. The only purpose of the cert is to show the data is encrypted and there is no one between you and the other end.

Another issue with non LE certs are the lifetime. If someone gets access to your key, there's at least a year until the new key is created. LE can be as new as you want automatically.

stacksofplates

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Obsolesce

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Regardless of the context,
If someone steals the CAs key, they can impersonate the CA. Then at that point... well I'm sure you know what's next.

travisdh1

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Regardless of the context,
If someone steals the CAs key, they can impersonate the CA. Then at that point... well I'm sure you know what's next.

I'd argue that LetsEncrypt does a better job of protecting against this sort of thing. Their certs being valid for only 3 months could limit the amount of time nefarious types have to be bad. The paid certs have 2-3 years, and the revocation system is notoriously broken.

scottalanmiller

@travisdh1 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Regardless of the context,
If someone steals the CAs key, they can impersonate the CA. Then at that point... well I'm sure you know what's next.

I'd argue that LetsEncrypt does a better job of protecting against this sort of thing. Their certs being valid for only 3 months could limit the amount of time nefarious types have to be bad. The paid certs have 2-3 years, and the revocation system is notoriously broken.

And I truest the EFF 1000x more than most CAs.

JaredBusch

@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:

@travisdh1 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

So I finally read this trash. How is this goon a CISSP? The CA doesn't have access to the private key on your server. That's not how CAs work. So if someone "steals the CAs key" they can't just MITM your traffic with an existing key. It's amazing that this was even published....

Regardless of the context,
If someone steals the CAs key, they can impersonate the CA. Then at that point... well I'm sure you know what's next.

I'd argue that LetsEncrypt does a better job of protecting against this sort of thing. Their certs being valid for only 3 months could limit the amount of time nefarious types have to be bad. The paid certs have 2-3 years, and the revocation system is notoriously broken.

And I truest the EFF 1000x more than most CAs.

It is not the EFF. The EFF is one of a few major supporters of the organization the runs LE.

wirestyle22

I'd think the other CA's would want to create a lot of negative propaganda about let's encrypt. Seems like this is possibly the start of that