|
StuartMW
Premium Member
2014-Nov-24 12:29 pm
EFF, Mozilla Launch New Free Security Certificate Authority» EFF, Mozilla Launch New Free Security Certificate Authority [28] commentsThe only issue I have with this is the "trust" factor with certificates and CA's these days. How secure will this free CA be? Will hackers be able to create their own certificates for websites or digital signatures? |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2014-Nov-24 4:13 pm
I guess they'll go through the same kind of pains that everybody else goes through, but they promise a transparent process, and I believe all certs created will be made public so there's a kind of crowdsourced auditing here. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2014-Nov-24 4:42 pm
said by Steve:... I believe all certs created will be made public so there's a kind of crowdsourced auditing here. Interesting point. If correct & they implement a robust challenge system it would be a good deterrent to those prone to misuse/abuse of the certs. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
|
to StuartMW
said by StuartMW:The only issue I have with this is the "trust" factor with certificates and CA's these days. This CA isn't addressing that issue. Getting a cert by verifying you control the domain by answering email to admin@yourdomain is a typical automated CA money maker. Money maker... I've been watching for existing CA response to this. Should be interesting. I love this idea of 100% SSL/TLS since *every* non-SSL connection you make is vulnerable to insertion in a trivial way. With SSL it raises the bar substantially. |
|
|
StuartMW
Premium Member
2014-Nov-24 7:09 pm
said by Bill_MI:Getting a cert by verifying you control the domain by answering email to admin@yourdomain is a typical automated CA money maker. To use an analogy (somewhat) it's a bit like assuming that someone applying for a passport is who they say they based on their return address. Passports require proof of identity/citizenship. It's a (deliberately) cumbersome process. IMO obtaining SSL certificates should be similar. Otherwise what's the point? |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
|
The EV certs are very cumbersome - the ones that color GREEN. A quick example is: » www.grc.com/intro.htm It also takes big $$$ but these are the exception. BTW, the whole process is going to be open: » letsencrypt.org/from » github.com/letsencrypt/acme-spec the new protocol is called ACME. Hey, there's a Roadrunner joke in there somewhere. |
|
1 recommendation |
StuartMW
Premium Member
2014-Nov-24 9:13 pm
Get your ACME SSL certs here
|
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
to StuartMW
said by StuartMW:Otherwise what's the point?   The SSL certs provide two services to the user - encryption and authentication. The goal of the Let's Encrypt project is more for encryption than authentication. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI |
Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle. ACME is expected to improve low-end certs, not diminish it. The security community surely won't favor less. |
|
|
|
StuartMW
Premium Member
2014-Nov-24 9:38 pm
said by Bill_MI:Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle. Exactly. Without authentication https (encrypted) is really no safer (and arguably less) than http (plain text). |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
to Bill_MI
said by Bill_MI:Though authentication isn't abandoned since it's imperative against impersonation or man-in-the-middle...   Agreed. However, the main focus is encryption. There is a low level of authentication support via the domain-control verification process during the issuance of the cert. |
|