dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
522

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

EFF, Mozilla Launch New Free Security Certificate Authority

»EFF, Mozilla Launch New Free Security Certificate Authority [28] comments

The only issue I have with this is the "trust" factor with certificates and CA's these days. How secure will this free CA be? Will hackers be able to create their own certificates for websites or digital signatures?

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

I guess they'll go through the same kind of pains that everybody else goes through, but they promise a transparent process, and I believe all certs created will be made public so there's a kind of crowdsourced auditing here.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Steve:

... I believe all certs created will be made public so there's a kind of crowdsourced auditing here.

Interesting point.
If correct & they implement a robust challenge system it would be a good deterrent to those prone to misuse/abuse of the certs.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI to StuartMW

MVM

to StuartMW
said by StuartMW:

The only issue I have with this is the "trust" factor with certificates and CA's these days.

This CA isn't addressing that issue. Getting a cert by verifying you control the domain by answering email to admin@yourdomain is a typical automated CA money maker.

Money maker... I've been watching for existing CA response to this. Should be interesting.

I love this idea of 100% SSL/TLS since *every* non-SSL connection you make is vulnerable to insertion in a trivial way. With SSL it raises the bar substantially.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Bill_MI:

Getting a cert by verifying you control the domain by answering email to admin@yourdomain is a typical automated CA money maker.

To use an analogy (somewhat) it's a bit like assuming that someone applying for a passport is who they say they based on their return address.

Passports require proof of identity/citizenship. It's a (deliberately) cumbersome process. IMO obtaining SSL certificates should be similar. Otherwise what's the point?

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI

MVM

The EV certs are very cumbersome - the ones that color GREEN. A quick example is: »www.grc.com/intro.htm It also takes big $$$ but these are the exception.

BTW, the whole process is going to be open: »letsencrypt.org/

from »github.com/letsencrypt/acme-spec the new protocol is called ACME. Hey, there's a Roadrunner joke in there somewhere.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

Get your ACME SSL certs here



camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to StuartMW

Premium Member

to StuartMW
said by StuartMW:

Otherwise what's the point?

 
The SSL certs provide two services to the user - encryption and authentication.

The goal of the Let's Encrypt project is more for encryption than authentication.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI

Bill_MI

MVM

Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle. ACME is expected to improve low-end certs, not diminish it. The security community surely won't favor less.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Bill_MI:

Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle.

Exactly. Without authentication https (encrypted) is really no safer (and arguably less) than http (plain text).

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to Bill_MI

Premium Member

to Bill_MI
said by Bill_MI:

Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle...

 
Agreed.

However, the main focus is encryption. There is a low level of authentication support via the domain-control verification process during the issuance of the cert.