New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
GoGetSSL.com is an excellent place to obtain SSL certificates instantly!
@bsdguy I don't agree with you but thank you for your reply. It seems to me you're resorting to fallacious arguments. The code could have been written by the NSA itself (as a matter of fact, many servers run code originally contributed by the NSA itself..) or Hitler or the Masons or whoever but as long as we have the source code it's almost irrelevant, even if it's crappy code. I'll try to address more on this later. Here I'd just add that the (h)activists behind letsencrypt don't seem to me that shady after all, but I get you have some beef with EFF.
You are concerned that some funds are coming from "evil" megacorps like google or facebook; they have vested interests in a wider adoption of "secure" connections and in "deprecating" http.
There are many different interests, that's pretty common in the open source business. The OpenBSD foundation received funds from "evil" corps like Microsoft and Google as well.
You say that code can have bugs, and cite OpenSSL. Well, I may understand that you don't want to run a bot or some code you deem untrusted on your servers. Every code can have bugs or may interact with other software in not properly predicted ways, thus you may prefer to create new certs manually. Or, you can create your own code, since the specs are open. Throwing in OpenSSL' heartbleed seems anyway quite gratuitous and eventually you got political (linux people vs bsd people). Unless you can point out the crap or the backdoor or whatever in the code, resorting to ad hominem seems to me just an attempt at FUD.
"A payment create traces"... but that's completely out of the scope of domain validation, that is: the applicant has "some" control over the DNS domain, period. Expecting something more would mean to raise too much the expectations on the meaning of the DV cert itself.
The blind trust on the "green lock" and the high expectation users have on this is an interesting issue. Users maybe are going to put too much trust on these common "shitty" DVs, but that's what a DV cert is after all and users should be better educated on the meaning on the "green lock". DV is not more inherently trustworthy than a site with no certs.
Sadly we all know that self-signed certs aren't viable (and one could possibly incur in more errors and/or shoot himself in the foot with unholy practices whilst crafting self-signed certs rather than using a pre-packaged solution); in the past I looked at experiments like OpenPGP-validated certs with monkeysphere, but that's asking too much from users. Some may use self-signed certs and put their site behind cloudflare, therefore exposing CF's cert to the users; still, cloudflare is one of those corps sometimes despised.
Finally, I don't want to "missionize" the use of LE over paid certs; if you're more comfortable and/or if you feel it's more professional that way, good for you. There are also other free cert providers, like comodo or startcom; some hosting provider started to issue free DV certs for its clients as well (usually leveraging on LE). From your original post it seemed to me you really looked at LE like a sort of absolute evil. Again, thank you for the insights and for the time you took in expressing your point of view. Time ain't free.
Bwahahahaha startcom:
http://news.softpedia.com/news/mozilla-brings-down-the-ban-hammer-on-wosign-startcome-certificate-authorities-509626.shtml
Yep. I'm using LE myself for most things now, but I have a "client" who isn't technical enough to install their own certificates, so I have to do it, and it's easier to pay a few bucks to do it annually (or tri-annually) instead of doing it for free every 3 months.
@MFS
Is that so? Which interests? Why do they prefer https over http? Tell us more about it.
Nope. I merely stated observations. I do not somehow hate linux.
BS
No, it is not. That whole cert shit is about trust and knowing that some web server is owned by someone who is actually known by other means than what he pleases to tell does help to trust.
Arent't they? Why? Because there weren't any checks? And letsencrypt is more viable because a letsencrypt bot checks ... uhm ... what? Nothing.
It just so happened that the browser gang decided that selfsigned certificates aren't trustworthy but letsencrypt bot-automatically-signed certs are wunderfully trustworthy.
Don't you recognize bullshit when it's right in front of you?
No, I don't. I look at it as a mixture of bullshit, evil and idiocy.
The "evil" (and yes, they are damn greedy suckers) CAs offer at least some little basis for trust. letsencrypt doesn't. Whoever runs their script is "trustworthy" - ridiculous.
They like https partly because it interferes with proxy caching, so they get more realtime tracking of your activities.
They aren't viable because the browser popup dialogues makes them near unusable.
It checks control of the web server and/or domain DNS, so it's about like any other DV certificate. Maybe slightly better than self-signed in security terms, maybe equal, certainly not worse. Also no worse than other DV certificates like Comodo.
The payment trail doesn't mean much since anyone can be a GoGetSSL reseller for Comodo and other brands (including EV certs) and accept bitcoin or whatever. Plus the Comodo 3 month certs are free and signed by the same CA as the longer term certs. Thank anyone is going to notice the difference?
And that's wrong, because DV has nothing to do with trust. It simply assures that no MITM/ eavesdropping/ tampering occurs when talking to a server, but it tells us nothing about who operates the server. It only tells us we're using a secure connection with a server indicated by someone who has control over that domain. Trying to inject "trust" in a DV cert is actually misleading, users should be educated that a green lock could lead to a phishing site as well and their blind trust in https should be rather directed to EV certs. A simple "paper trail" never stopped phishing.
In my view, letsencrypt offers exactly the same level of trust you can obtain from a CA, as far as DV certs are concerned: zero. CAs are actually the "weak link" in a DV cert "trust", more on this below.
Because that's how browsers work; yep, the browser gang decided that selfsigned certificates aren't trustworthy but displaying control over the domain DNS to a CA (manually or with a bot) using (hopefully) sane practices is enough to certify the simple fact that you can control your domain DNS
There are some hacktivist organisations who refused in the past to adopt CA-issued certs (e.g. the A/I collective) but the way users were expected to properly check the genuineness of the certs required skills normal users didn't have - and eventually they jumped on the let's encrypt bandwagon as well.
LE maybe isn't the best possible solution, and I do share some concerns about LE becoming a sort-of new universal CA and some doubts about the different approach Mozilla had in the past with CAcert vs the approach it has now with LE ( https://archive.fo/5FH9n ; anyway the same author has then revised his critical approach ); putting all the eggs in one basket is always risky (and here's something we should have learned from OpenSSL). Still it's the most convenient solution for the simple, limited DV certs target. Diversity in CAs does not solve the CAs problem. If we were serious about DV, we'd remove CAs completely - at least for DV; as @willie pointed out, a CA can well be the weakest link in the trust chain. DANE/DNSSEC would be a first move, yet it has been criticised as well and as a matter of fact, you can't validate these DNS entries from within the browser (at least, you can't without installing some additional software/addons); and both Mozilla and Chrome have chosen to sponsor LE...
Confidentiality (that's all DV can be about) has become recently a hot topic (see rfc 7258 or https.cio.gov ); in a perfect world you should have a complimentary DV cert along with with a DNS domain, anything else is artificial economy
Oh well, you sincerely gave me that impression. Blame the code or the idea, not the guy or the organisation.
So did you already remove Let's Encrypt from your OS and browser trusted certificate store? (And face the red "bad certificate" warning on a half of the internet?)
I got sold on LE when there came to be https://github.com/lukas2511/dehydrated
It's a ~1000 line shell script, of which you can personally read every single line, and verify it doesn't do anything nefarious. On top of that, it also runs in a walled-off unprivileged environment without issues (doesn't need root, and can be made to not access anything outside its own directory -- ever).
The biggest concern I have right now about LE, is the "single supplier" problem. After WoSign and StartCom got shot down, there are no other providers of free SSL certificates left. (not counting any "30 day trial" options). This means if LE closes down for whatever reason, or introduces fees, all those millions of people using it will have no choice* but to obtain a paid cert. Almost feels like that might be the plan from the start by the cert cartel, to get more people onto their product by offering the first dose free, and then suddenly withdrawing that.
( *You can't gracefully migrate a HTTPS website back to HTTP, without having a valid certificate on the HTTPS side.)
That's devilish
https://www.ssls.com is pretty cheap. As low as 4.99$ a year.
Site is near unusuable with amount of JS crap. Is it a namecheap brand? It has namecheap support link in it.
Now wait, DV stops some common low-tech attacks, like DNS spoofing at the level of a wifi router in a cafe. That's better than nothing.
Yes It's say's A member of Namecheap group in the site footer
sure, it prevents MITM/ eavesdropping/ tampering (unless someone has a Court order obviously...)
I call this "confidentiality" whilst "trust" is something more inherent about the identity of the site operator (that's where EV certs play). Sure if I connect to lowendtalk and lowendtalk uses a DV cert, I rest reasonably assured that I'm connecting to the same lowendtalk I'm used to and that I'm not presented with a fake version of the site, so there's maybe some inherent trust in this sense. In that post "trust" was considered in the context of the ability of a cert to identify a site operator; I argued that leveraging on a simple paper trail could be deceptive on a product not designed for this.
@mfs
That may all be nice and dandy from your perspective but I have another one.
There is, simple fact, plain nothing that makes a letsencrypt cert any better or more credible than a self signed one. It's a pure wanton decision by the browser gang tp put one above the other.
And no, certs are not simply about MITM avoidance and self-signed certs can offer that, too, for instance a annotations in the domain records and via dns. Actually, letsencrypt makes MITM attacks simpler because the control is with them and not with you (I say "can" not that they actually do. I have no evidence for letsencrypt f*cking us - but they could).
@rm_
You (probably unintentionally) misquoted. It was me saying that (and mfs quoting it).
"LE single supplier problem" - No, some (I think comodo) also offer free 90 day certs.
@MFS
"court order" - Dream on! a) those orders are generously rubber stamped, b) we have proof that agencies can and do run MITM attacks without court order.
@all
We have a misunderstanding here. My point is not "letsencrypt is evil, use comodo which is better!". In fact, I trust neither one.
More importantly, though, my perspective is that of an ITsec guy. I don't trust. Neither the nice name of a large corp or it "we are trustworthy" PR, nor letsencrypts "we are the good guys! ssl certs for everyone and free!" PR.
Real security means I do not have to trust at all; it means that certain properties are provable or that at least an extremely high probability of them is provable.
Moreover trust must be earned and it should be clear that f#cking up would carry heavy punishment.
letsencrypt and the browser gang have completely arbitrarily decided (like the pope formerly did in the vatican) that their stuff is trustworthy while self-signed is is not. Looking at it it shows that that is not tenable. It's a fairy tale you may or may not believe; there are no objective attributes showing one better than the other and both can be considered better (or not).
Ugly example: everyone looks at how nice and good and oh so secure letsencrypt is. But are our servers, too? What if the nsa first faked us towards letsencrypt to demand a new cert? letsencrypt does not know whether I am me, whether my domain is mine or whether my server is mine and my server. All they have is a script running and connecting to a bot on their side.
One of the holy rules of ITsec is to, if any possible, user more than 1 channel. CAs, unlike letsencrypt, do that. Maybe even a phone call or an SMS.
Inter alia for the same reason I mentioned the payment information. It's a second channel. That's the job of an ITsec pro. we look from the advocatus diaboli position and "they are the good guys" or "Moxie is a nice guy" means sh#t to us.
I'm actually happy with neither but see the CAs in a slightly better position (plus the psychological advantage towards users).
Hell, the whole PKI system is one major clusterf#ck.
You want to believe in the nice-guys, foss, not-evil, we-can-see-the-source story? Go ahead. But kindly accept that I'm not a heretic who should be burned alive for having another view.
Those are worthless without LE-stlye automated renewal system.
@rm_
Again: Question of perspective and preferences. An "automated renewal system" can be considered an advantage (and probably is by most) but it can also be considered a disadvantage.
Everyone is missing the point of the thread. @M3ntor and @Felix20 are just spamming to get views for spamspamspam.com which only has whcms ordering system and no formal website. So all the other discussions just pump up views for a thread that should sink into oblivion. You can tell because he lists a $93 cert from a company and compares to his $60 cert. Then Felix comes in and says he bought the 60 one and a few more posts pumping spamspamspam.com and this was @M3ntor first post and he hasn't checking in since or posted on other topics.
Either to buy from ssl certificate authority or reputed ssl provider.
Did anyone try at Godaddy ssl here: https://www.godaddy.com/web-security/ssl-certificate. I see that it's only $55.99 for the 1st year, the next year is $69.99, it's also good.
For single domain validated? Are you kidding? That would be ok for wildcard or EV but it doesn't seem to be either of those. Comodo DV is $5/year or so, and LetsEncrypt etc. are free (3 month period).
Hello, i would recommend it GoGetSSL
It's cheapest and simple ordering, also supports multiple companies that are offering ssl services
https://www.gogetssl.com/
Try it
Good necro, bra.
And when I say good, clearly I mean 'fucking ridiculous'.
Trying to get the required posts for the provider tag, Id guess.
TBF, a company with a name like 'UnmeteredVPS' is probably a pile of wank anyway. Flagged anyhow.
Well, since LE does DV, doesn't this count for more validation than no validation at all, which is the case of a self-signed cert? Even if DV is minimal, it's still some validation, whereas a self-signed cert involves no validation at all. Thus, if some validation is better than no validation, then at least in this respect a LE cert is better than a self-signed one (my reasoning would go).
I think that everyone would agree that the practical issue of having to renew a LE cert every 90 days may be viewed as a decisive disadvantage of using LE, which would be a reason to pay for a DV cert from another CA.
The question of which CAs are more trustworthy and which are less trustworthy is another question altogether and can only be decided based on the past behavior of the CAs in question. A priori, I don't (yet) see why LE should be regarded as less trustworthy than (say) Comodo ...
Can you take your rine tech spam and shove it somewhere? Preferably without sunshine.
here is my opinions:
using free service will possibly harm your website's reputation
EV is too expensive for a small bussiness
@didtav if EV is too expensive, my guess is that 99% of users won't bother to check if the DV cert is a let's encrypt one or not; and I don't understand why it would harm your website's reputation
https://letsencrypt.org/stats/
I hope you're not using free software at all in your business if "free = bad" is your reasoning
I actually nod a little inside when I see a little company (at least, an IT company) using a letsencrypt cert for their main site