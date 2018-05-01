Starting Today, Google Chrome Will Show Warnings for Non-Logged SSL Certificates (bleepingcomputer.com) 61
Starting today, Google Chrome will show a full-page warning whenever users are accessing an HTTPS website that's using an SSL certificate that has not been logged in a public Certificate Transparency (CT) log. From a report: By doing so, Chrome becomes the first browser to implement support for the Certificate Transparency Log Policy. Other browser makers have also agreed to support this mechanism in the future, albeit they have not provided more details. This new policy was first proposed by Google engineers in 2016, and was scheduled to enter into effect in October 2017, but was later delayed for 2018.
So how is this going to be implemented? Every SSL cert is going to be sent to Google for "verification" or is the CT log going to be local and the browser will just search it every time?
Also what about locally signed certificates, using a corporate or Intranet CA, that's installed on all computers that might use those certs?
That was, at one point, considered a best practice, but I assume this'll break that.
No, we need warnings for certificates that aren't trusted. Otherwise SSL does nothing to prevent man-in-the-middle attacks.
What would be ideal is to support secure DNS with certificates in the DNS. Then you know you have the right certificate and don't need any certificate authorities at all. Of course, you have to trust the secure DNS. so it's just pushing the trust problem down the road.
No, we need warnings for certificates that aren't trusted. Otherwise SSL does nothing to prevent man-in-the-middle attacks.
But without a fully qualified domain name, CAs shall not issue a trusted certificate. So we also need a reliable way to provide trustable names for devices on a non-technical users' home network that have a web-based administration interface, such as a modem, router, printer, or NAS.
What would be ideal is to support secure DNS with certificates in the DNS.
I agree that DANE would be ideal. But DANE relies on DNSSEC, which has faced practical problems that hinder adoption. Before about a year and a half ago, DNSSEC's root zone key was too short (1024 bit RSA) for browsers to accept
Besides, how is a global root CA supposed to verify the connection to a device on a non-routable IP/Subnet?
Why do home devices need to have trusted SSL certs?
Because Service Workers and several other web platform APIs are restricted to secure contexts [mozilla.org] per W3C's spec [github.io]. For example, a browser may restrict the Fullscreen API or Presentation API to secure contexts as a mitigation against phishing by replicating the chrome of the operating system and web browser [feross.org]. In such a browser, the web interface of a NAS on which video is stored will not be able to present the video in the full screen.
You don't understand what the certificate is for. It is not the about the half page of data. It is about is the Corporation ABC LTD that is asking for certificate really Corporation ABC. This is because ultimately on the browser side you only see mapping between a certificate and domain name. But the CAs are separate from domain registries, and while domain registries guarantee uniqueness of the domain name, the CAs do not guarantee uniqueness of a certificate.
With Let's Decrypt any compromise of DNS regis
IMO all certificates should be EV in the current internet if we want security.
I thought EV certificates were available only to corporations or LLCs, not to individuals. If someone puts up a site to show her personal portfolio, would you prefer to require her to incorporate first?
But the current situation - Let's decrypt being able to issue a DV for any EV issued domain, is completely wrong.
That's what certificate authority authorization (CAA) records [wikipedia.org] are for. If a domain owner publishes a CAA record that doesn't include Let's Encrypt, Let's Encrypt will not issue a certificate for that domain.
This ^^^ so much this!
LetsEncrypt is literally the worst thing to happen to Security on the internet. Its theater and its dangerous.
Self-signed certs don't block first-visit MITM (Score:2)
We should allow free self signed certificates with no warnings. I should not have to link myself up to some 3rd party of any kind to operate my website.
Under your proposal, what distinguishes the self-signed certificate that you generated for your domain from the self-signed certificate that the operator of an intercepting proxy (a "man in the middle") generated for your domain, particularly on a client's first visit?
Just to get a ballpark figure to guide further discussion of your opinion on Let's Encrypt: How much do you think someone ought to have to pay per year in order to host a personal portfolio site?
Like a standard cert from someone else requires anything beyond rudimentary photochop skills?
Pinning would do a LOT more for security than the CAs ever have, but since that doesn't present any exciting new business opportunities, it remains unimplemented.
In answer to your subject, from https://letsencrypt.org/certif... [letsencrypt.org]:
So LetsEncrypt certs will work fine with Chrome.
Let's Encrypt certificates are issued under an intermediate that has always been cross-signed by IdenTrust, an older and more established CA.
While most SSL certificates are nothing but a 1/2 page file of random text they can cost upwards of 600$. I've been utilizing LetsEncrypt because...honestly I'm too dumb to understand the difference between a DV certificate and an EV certificate, and I believe that certificates should be priced according to the number of bytes in a text file because I don't even know how to computer.
FTFY. Was I right? I got it right didn't I.
By the way, Lets Encrypt rose out of the idea of automating checks, not out of the ashes of stupidity. That is user stupidity, or rather stupidity of people like you.
If they did care about the end user's security, they wouldn't make stupid changes like not trusting end-user / admin installed CA certs by default.
Chrome opts in through its network security config file [googlesource.com], and Firefox has its own TLS engine. So this affects mostly native apps that use Android's TLS engine.
Since when does removing / forbidding the user's input on trust somehow boost their security?!?!?
Malware has in the past added certificates as a means of intercepting apps' traffic. So have governments.
This seems more and more like an effort to compel website owner/operators to buy into the SSL certificate scheme.
Revenue.
Let's Encrypt supports Certificate Transparency (Score:5, Informative)
All websites with a fully qualified domain name qualify for a domain-validated certificate without charge from Let's Encrypt. Every certificate that Let's Encrypt issues is logged in CT.
Anonymous Coward wrote:
Which is exactly why let's encrypt should have their trust revoked. Such lax policies mean even illegitimate sites can get certificates, just look up all the paypal scammers using let's encrypt to show up as trusted.
By the same reasoning:
Which is exactly why domain name registrars should have their trust revoked. Such lax policies mean even illegitimate sites can get certificates, just look up all the paypal scammers using domain names to show up as trusted.
If a CA is not verifying identity then what use is their certificate?
Does Let's Encrypt verify identity, I can't find anything on their site about it.
Let's Encrypt is a domain-validating certificate authority, which issues domain-validated certificates. Every such CA verifies that the person requesting a certificate is the same person who controls the domain's DNS. What other sort of "identity" did you have in mind?
If a CA is not verifying identity then what use is their certificate?
If a domain registrar is not verifying identity then what use is their domain?
Let's Encrypt doesn't issue EV certificates, so no, they don't verify real-world identity. They verify control of the domain name, just like everyone else issuing non-EV certificates. (Put another way, for DV certificates the domain is the identity.) The distinction between DV and EV certificates long predates Let's Encrypt, and their policies regarding domain validation are no more lax than most CAs'. Stricter, actually, since with LE you have to prove that you still control the domain at least once every
If a CA is not verifying identity then what use is their certificate?
It allows your connection to the web site to be encrypted, preventing ISPs and other nefarious agents from spying on you to a limited extent.
Does Let's Encrypt verify identity, I can't find anything on their site about it.
If a CA is not verifying identity then what use is their certificate?
What identify are you trying to verify? The identify of the machine in question? That's called Domain Validation, and yes Lets Encrypt does that by requiring that you prove that the certificate being issued for domain x is actually for domain x by showing that the machine actually is in charge of domain x by changing something on domain x during the issuing process.
If you're asking about the identity of the owner of the machine, well that's an Extended Validation certificate and Lets Encrypt doesn't issue t
internal apps / ipmi / other things that are no on (Score:2)
internal apps / ipmi / other things that are not online don't need real certs much less running let's LetsEncrypt with ports open so that runs.
What doesn't make sense is [appliances on LANs] using https with default certificates just to tick of the "it's secure" checkbox.
That's partly a reaction to browser implementation of Secure Contexts [pineight.com], a W3C spec that reserves certain web APIs for HTTPS sites.
A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.
Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.
Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.
A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.
Are those local, self-signed certificates or something that is registered somewhere?
You could answer that question with five seconds on a search engine. Google Search for let's encrypt certificate transparency produces, as its first result, a document [letsencrypt.org] stating the following: "We submit all certificates to Certificate Transparency logs as we issue them."
A lot of people, including myself use LetsEncrypt on a CPanel based hosting account to generate certs for a website.
Are those local, self-signed certificates or something that is registered somewhere? I'd never really paid attention since it just worked and was one less thing to deal with.
Since it's not retroactive there is no problem now, but wondering what will happen when I generate new certs going forward.
In this context certificates perform two functions. 1) They provide a key pair which can be used to encrypt the connection, and 2) They provide a way to have confidence that the person / company on the other end of the network is who they say they are. Any certificate (a free self signed or Let's Encrypt certificate, or an expensive certificate from a commercial CA) can be safely used for just encryption. However if you care about validating who is on the other end self-signed certs are worthless, Let's Enc