Let's Encrypt Is Now Officially Trusted by All Major Root Certificates

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.

Re:Gee

[Anonymous Coward]

Automate.

Certs updates should be automated anyhow, can't count how many times I've seen corporate sites have certs expire because some one couldn't or didn't update the cert because it was a manual process...

Re:Gee

[Wycliffe]

The relatively short length is intentional: https://letsencrypt.org/2015/1... [letsencrypt.org]
It's long enough so that you *can* manually update but short enough that it's a hassle to encourage people to automate.

Re:

[hcs_$reboot]

The unofficial reason of a short-lived certificate is that LE doesn't want to be liable in case of a certificate issue - the shorter the life, the lower the probability of some issues.

Re:

[Anonymous Coward]

I think it increases security, credibility. Remember that those certificates are intended to provide both.

With a positive response required to keep the certificate up it means someone in charge of the certificate is actively maintaining a system and the required chain of credentials to make it all happen is being processed (Even if automated)

It means things are more likely to be legitimate, and the useful lifetime of hijacked credentials is much shorter.

Re:

[omnichad]

Most automatic renewal options attempt renewal in advance of the expiration, so there's time to get notified and resolve any issues before the current cert expires.

Re:

[spire3661]

Im sorry, but i absolutely cannot take them seriously when they say shit like this " If we’re going to move the entire Web to HTTPS, ".

With this stance, NO ONE should be supporting Lets Encrypt. Their philosophy is anathema to a free and open web. Enough! Lets Encrypt should be considered neutral at best, and outright harmful at worst. Im tired of it being touted as a good thing. This madness has gone too far already.

Re:Gee

[pnutjam]

Anathema to a free web? By insuring I'm talking to the site I tried to talk to and preventing eavesdropping?

Re:

[spire3661]

The issue is they think that all websites should be encrypted and are working to that end. I should not need a third party cert to deploy a website on the web, period. Use them if you want, they are great, but the idea that all the web must be purged of clear HTTP is utter stupidity and i cannot support that.

Re:

[pnutjam]

Like I don't block that shit...

Re:

[Wycliffe]

Im sorry, but i absolutely cannot take them seriously when they say shit like this " If we’re going to move the entire Web to HTTPS, ".

With this stance, NO ONE should be supporting Lets Encrypt. Their philosophy is anathema to a free and open web. Enough! Lets Encrypt should be considered neutral at best, and outright harmful at worst. Im tired of it being touted as a good thing. This madness has gone too far already.

Google has the same stance of encrypting everything. They are even starting to penalize sites that are not encrypted. I believe the idea is that if everything is encrypted then not only does it make MITM harder, it also makes it harder to distinguish between "regular" traffic and traffic a government or organization might want to monitor/restrict. As a parent who has tried to use parental controls, it does work. It's extremely hard to censor/monitor youtube because everything is now encrypted.

Re:

[Opportunist]

Then install an offloading proxy on the machine you want to monitor and its certificate in the browser used. It ain't hard to break ssl encryption, provided you control one endpoint...

Re:

[Opportunist]

You might want to elaborate on that, it's not as obvious as you think it is.

At least to me, it ain't.

Re:

[tepples]

It's Google's fault for trying to strong-arm HTTPS-only.

It's not even only Google. Mozilla is on the same track of deprecating cleartext HTTP, according to its HTTPS FAQ [mozilla.org] from May 2015.

Re:

[thegarbz]

If you can't figure out how to set cron to execute a command every 3 months then you really shouldn't be even remotely in charge of something as important as the encryption on your server.

Re:

[tepples]

That'd be fine if all major domain registrars offered a way to let a cron job update your domain's TXT records. I'm under the impression that many do not. Many dynamic DNS providers don't support TXT records at all.

Re:

[thegarbz]

All of that would be a real problem if Lets Encrypt depended on the TXT record. It does not.

Re:

[tepples]

Let's Encrypt depends on the TXT record for the dns-01 challenge. It does not for the http-01 challenge; it instead depends on having a public-facing web server as opposed to one behind the firewall.

Re:

[lannocc]

What I do is on the main nameservers I set up NS records for the _acme-challenge subdomains that points to my own nameserver (BIND) used only for this purpose. Then I have a simple script that updates the TXT record in these zone files. Works like a charm. I can share it if you think it's useful.

Re:

[lannocc]

I put my process on github: https://github.com/VirgoVentur... [github.com]

Re:

[tepples]

Thanks for posting your process. But do dynamic DNS providers even allow NS records?

Re:

[lannocc]

Shoot, that's a good question. I'm not too familiar with the third-party providers since I host my own DNS and simply wanted an easy way to renew without having to modify the processes connected to my main nameservers. I put my scripts on github, maybe they can still be useful: https://github.com/VirgoVentur... [github.com]

Re:

[Opportunist]

You shouldn't be in charge of an internet facing machine altogether...

Re:

[tepples]

Web browsers require HTTPS for some JavaScript APIs, even on non-Internet-facing machines such as a NAS box on your home LAN.

Re:

[thegarbz]

OOooh cut. Burn. Hisss. boooo!

Another high value post brought to you by an opportunist who was hoping no one noticed that he added nothing to the conversation.

Re:

[Opportunist]

Not you, personally, you as in an addendum to your post.

Screw English and its lack of an impersonal pronoun.

Someone

[tepples]

English speakers use "one" or "someone" as the impersonal pronoun. For example, your comment could be reworded as follows: "Someone who can't set up a cron job shouldn't be in charge of an Internet-facing machine altogether."

Re:

[dissy]

Another high value post brought to you by an opportunist who was hoping no one noticed that he added nothing to the conversation.

Except he's correct.

If one explicitly choose not to automatically schedule a once-per-three-month task and perform it manually, yet can't manage to find the time or inclination to actually do so manually every three months, one would have much worse problems than your certificate expiring.

That means using the same demonstrated behavior and thinking, that person would refuse to automate system updates and security patches opting to install them manually, and then not having the time or inclination to actuall

Re:

[thegarbz]

yet can't manage to find the time

Who said that? Must have been that magical person who can edit Slashdot posts.

Re:

[dissy]

yet can't manage to find the time

Who said that? Must have been that magical person who can edit Slashdot posts.

This post [slashdot.org] said that:

"Gee, now if the certs would last longer than Trump's attention span, Let's Encrypt could actually become useful. At this point, they should rename it "Let's Momentarily Encrypt.""

That being the person you [slashdot.org] responded to, saying:

"If you can't figure out how to set cron to execute a command every 3 months then you really shouldn't be even remotely in charge of something as important as the encryption on your server."

That being the post [slashdot.org] Opportunist expanded upon, adding to your reply to the

Re:

[Opportunist]

You do know that nothing is easier than auto-renewing your certificate, yes? Hell, pretty much any proxy and other SSL-offloader comes with its own "how to automate LE-Cert-Renewals".

What

[Anonymous Coward]

Trusted by root certificates? That is not how root certificates work. Bad article and bad headline for a tech site

MOD PARENT UP

[CheeseyDJ]

Came here to say the same thing. The headline makes no sense whatsoever.

Re:What

[LordKronos]

Wow...and on top of that, you've been moderated to -1 Troll for correctly pointing it out. For any clueless moderator who might be included to give you a -1 mod:

Let's Encrypt is not "trusted by" root certificates***. It's more correct to say that the Let's Encrypt root certificate is now a trusted root certificate in the certificate store of all major browsers.

*** I guess technically they are also trusted by a root certificate. Let's Encrypt's intermediate certificate is also cross-signed by CACert, which is how older browsers (versions before the root certificate was included) were previously able to trust Let's Encrypt certificates. However, that's nearly 3 year old news, and although an articles about 3 year old news is not unheard of on slashdot, that's not what this particular article is about.

Re:

[OtisSnerd]

Is meta-moderation still even a thing on slashdot? Maybe they just moved it to a place I can't see it, but as far as I'm aware I haven't been offered it in many years.

You can find it here: https://slashdot.org/firehose.... [slashdot.org] After finally being offered metamod, I saved the URL.

Re:

[R.Mo_Robert]

It's more correct to say that the Let's Encrypt root certificate is now a trusted root certificate in the certificate store of all major browsers.

Yeah, I'm guessing whoever wrote the summary mis-paraphrased the press release on Let's Encrypt's website [letsencrypt.org], which says that it is now "trusted by all major root programs" (i.e., those by Mozilla, Microsoft, Apple, etc., where it is decided which root certificates are distributed with their products). It could almost be a slip of the "tongue" since "root certificate" is a much more common phrase, but then they kept saying it...

one of these things is not like the other...

[Jaegs]

Microsoft? Check.
Google? Check.
Apple? Check.
Mozilla? Check.
Oracle? Check.
Blackberry? Che... wait, what?

All major OS? Forgot to get BSD.

[Anonymous Coward]

Netcraft confirms it, this list is dead.

Mozilla covers FreeBSD and NetBSD

[tepples]

*BSD uses Mozilla's root certificate bundle.

FreeBSD

The port port security/ca_root_nss [freshports.org] provides Mozilla roots. (Source: chatwizrd's post [freebsd.org]).

NetBSD

The package security/mozilla-rootcerts [netbsd.org] provides Mozilla roots.

OpenBSD

This libressl commit [github.com] states that OpenBSD's LibreSSL library provides Mozilla roots.

Re:

[omnichad]

* Google make the OS Android, which includes a list of root certs they trust. (They also make Chrome, but that doesn't include any root certs, it uses the OS-provided ones).

I'm not sure if that's always true. Pull up https://secure.netflix.com/ [netflix.com] in Chrome (untrusted) and then pull it up in IE or Edge. I have no idea why, but Chrome flags that certificate as invalid. I display some inline Netflix cover art on a personal web app and the pictures won't load in Chrome. Everything about the cert appears to be valid.

Re:

[darkain]

Checking that site, it looks like it uses a Symantic cert, which those are no longer trusted by Google products. Chrome may be using the OS provided root cert list, however it most likely has Google's own blacklist of distrust internally.

Re:

[higuita]

*ALL CA* are a single point of failure, it is not just let's encrypt

Re:

[Sloppy]

And we have known how to fix it [wikipedia.org] since about 1988-1990 (PGP), before HTTPS was even a thing. Our entire CA system was obsolete before we started using it. Hopefully, some day we'll upgrade to 1990 tech and then identities will have multiple parties certifying them.

Hard to get your PGP key trusted internationally

[tepples]

You mentioned the Wikipedia article "Web of trust". It acknowledges that getting your key signed for the first time is impractical for many. True, a key signing party will help your key become trusted in the same village. But that doesn't help you build a robust set of paths through the web of trust to users on the other side of the planet unless several people who attended the same key signing party also routinely travel internationally to key signing parties in other countries. And with the U.S. TSA and o

Re:

[wed128]

So establishing the web could be somebody's job. Imagine if i walk into a AAA storefront, show them my ID and pay a small fee, and they sign my cert.

My bank could do the same. or 711 for that matter. Hell, the DMV ought to, establishing identification is half of their job anyway.

All i'm saying is, we could have more "web-of-trust" infrastructure then just key signing parties.

Notaries for building the web of trust

[tepples]

So establishing the web could be somebody's job.

I believe that job is called a notary [wikipedia.org]. And you're right that a notary firm operating in multiple villages would have the resources to build the web beyond one geographic area.

Hell, the DMV ought to, establishing identification is half of their job anyway.

Even so, good luck getting that, or any other new duties of the DMV, past the minarchists in the Republican Party of each U.S. state.

Re:

[drinkypoo]

Even so, good luck getting that, or any other new duties of the DMV, past the minarchists in the Republican Party of each U.S. state.

It's something that should obviously be handled at your local post office, like applying for a passport. But then, do you trust the USPS? Thing is, I definitely don't trust the CA DMV. They are both incompetent, and entrenched government corruption. But I repeat myself.

Re:

[bws111]

DMV? Good one. I just had the experience of 'proving' something to the DMV (NY). I needed to provide 2 'proofs of residence'. My mailing address is a PO box, as the wonderful USPS does not deliver to homes in our town. One of the proofs I had was my water/sewer bill. The bill has 'YOURTOWN WATER/SEWER DISTRICT' printed across the top, and had my address (street and house) listed as 'service to property'. The genius at the DMV would not accept that, because the 'service address' did not have the town

Re:

[Sloppy]

You mentioned the Wikipedia article "Web of trust". It acknowledges that getting your key signed for the first time is impractical for many.

And yet people are able to get X.509 certs signed, and we even have things like LetsEncrypt. The evidence suggests getting signatures isn't really all that hard, since 100.0% of the websites that implement HTTPS somehow managed to do it.

So why stop at 1? The only people who come out ahead by us having single point of failure, are the attackers. I think we should move fr

Re:

[Anonymous Coward]

Let's Encrypt has become a single point of failure for the majority of web sites

I generally think of "single point of failure" as one thing breaks and it immediately takes everything else down with it. With certificates, you should be renewing them 30 days before they expire. If Let's Encrypt suddenly ceased to exist, you would have 30 days notice that they are gone, and thus 30 days to switch to a different certificate provider and continue on with zero downtime. That's not my definition of single-point-of-failure. So it's really only a single point of failure for websites whose admin

Re:

[thegarbz]

Let's Encrypt has become a single point of failure

How so? You do realise there are systems in place to handle faults in certificate issuing processes, and outside of the issuing process they are not in any way involved right?

Before you declare something a single point of failure and a major drama, maybe define what the failure mechanism and the consequence is first.

Let's Encrypt is great to learn automation

[Anonymous Coward]

Let's Encrypt is a really good setup for people who want to learn how to automate their system. While free and easy to set up (it took me about an hour to get https on my websites with it), the certificates only last 90 days, with the justification being that people should learn how to automate things.

Since I have multiple redundant nodes which I rsync to, I had to use the --manual-auth-hook option to certbot-auto to push the challenge-response tokens Let's Encrypt uses to authenticate website. I also use A [ansible.com]

Re:

[hcs_$reboot]

To be fair, LE's automation installation is automated... and you don't even have to learn much to use it.

Re:

[Anonymous Coward]

It's only simple if 1) You run the certbot on the actual web server and 2) Your nginx (or Apache) setup is bog-standard.

I had to do things manually because nginx is in /usr/local/nginx on my nodes, and because I run certbot-auto on my local machine, then push the generated certs to the machines actually serving web pages.

Ansible looks good on my resume, so it was a net positive for me.

Too early to celebrate

[petermp]

From the official announcement: "While Let’s Encrypt is now directly trusted by almost all newer versions of operating systems, browsers, and devices, there are still many older versions in the world that do not directly trust Let’s Encrypt. Some of those older systems will eventually be updated to trust Let’s Encrypt directly. Some will not, and we’ll need to wait for the vast majority of those to cycle out of the Web ecosystem. We expect this will take at least five more years, so

Re:

[hcs_$reboot]

Very vague statement, what is "old" and "older"? Even IE6 (xp sp3) qualifies! https://letsencrypt.org/docs/c... [letsencrypt.org]

Re:

[petermp]

Very vague statement, what is "old" and "older"? Even IE6 (xp sp3) qualifies! https://letsencrypt.org/docs/c... [letsencrypt.org]

It is *comaptible* with all of these via IdenTrust. Does not mean, all of these will trust directly Let's Encrypt....

Re:

[Opportunist]

Well, then it's time to tell people who complain about a broken certificate to update their fucking browser to a version that isn't a security problem for the whole damn web!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[tepples]

Also a trojan horse for security in the internet because now with let's decrypt anyone can do MITM with a valid certificate.

This MITM would have to intercept the server's connection to the Internet through several paths at every renewal time, and the rightful owner of the domain would notice the misissued certificate through Certificate Transparency logs.

We as users should accept no less than mandatory EV everything.

Are you buying?

Re:

[WaffleMonster]

This MITM would have to intercept the server's connection to the Internet through several paths at every renewal time

Compromise of single path to victims server or authoritative name server is sufficient.

and the rightful owner of the domain would notice the misissued certificate through Certificate Transparency logs.

LOL sure they would notice.

Re:

[tepples]

But for those who do care, Certificate Transparency monitoring is probably cheaper than an EV certificate. If you disagree: Let's say you were to start a website. How would you afford your website's EV certificate as well as the fee to form an LLC in order to qualify therefor?

Re:

[Opportunist]

Just for shits and giggles, can you explain how this would let everyone MitM a connection?

Re:

[Anonymous Coward]

Also a trojan horse for security in the internet because now with let's decrypt anyone can do MITM with a valid certificate. What good is encryption if you can no longer trust the endpoint that's receiving it. We as users should accept no less than mandatory EV everything. No DV certificates provide any assurance that who you are talking to is really who they claim to be, especially if that certificate is issued by let's decrypt

It's amazing people still think and speak like this.
You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.

First you are wrong on your specific blame placing regarding MITM attacks.
The only way to gain MITM advantage is to have access to the very server the private key resides on, as this is the only system allowed to request a cert for it.
That is true for ALL CAs, the

Re:

[WaffleMonster]

It's amazing people still think and speak like this.
You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.

Amazing to see such a long winded post missing basic fact "certificate chains" are about "trust".

Failure to establish trust renders underlying technology moot. It doesn't matter how great the crypto is.

Every DV system these days is automated relying on combination of DNS, SMTP and HTTP. All completely insecure protocols operating over completely insecure networks leveraged to make critical value judgments about whether party in question is trustworthy or not.

DV = LEAP OF FAITH

It may work in practice most

Its like

[AHuxley]

the PRISM list.

Kudos

[dcollins117]

These guys did something right and I applaud them. Much better than managing your own certificates and getting your users to accept them.