Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Let's Encrypt Wildcard Certificates Coming in January 2018
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Let's Encrypt Wildcard Certificates Coming in January 2018

jadenjaden Member

According to the Let's Encrypt blog free wildcard certs are on their way.

They're also looking for donations if you're able and willing.

«134

Comments

  • wow thats a big news :)

  • WSSWSS Member

    As fast and loose as LE already is, enabling wildcards is going to mean more complete shit with SSL certificates- and I'm talking about malware sites with pretty green checkboxes at the upper left.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @WSS said:
    As fast and loose as LE already is, enabling wildcards is going to mean more complete shit with SSL certificates- and I'm talking about malware sites with pretty green checkboxes at the upper left.

    Ah, the $4/year SSL gate to stop the malware people.

    Francisco

  • @WSS said:
    As fast and loose as LE already is, enabling wildcards is going to mean more complete shit with SSL certificates- and I'm talking about malware sites with pretty green checkboxes at the upper left.

    That's the browser makers fault. LE will just ensure that the channel over which the virus is being sent your way cannot be eavesdropped on.

  • TomTom Member
    edited July 2017

    Just in time as @Fidde is starting to have problems with ASSL :-)

    Thanked by 1Fidde
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    and with that, the SSL cartels are laid to rest.

    Francisco

    Thanked by 4WSS leonari dwtbf Makenai
  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    Somebody on IRC pointed out that this may cause dangerous behaviour from users. Specifically: Wildcard certificates should NOT be used for "easy subdomains". By sharing the same certificate between multiple systems, you're compromising the security of your TLS setup.

    An example of a valid usecase for wildcart certificates is "multi-tenant website, hosted from the same server cluster for everybody, and every user gets their own subdomain". In this case, you're protecting the same system, even if it uses a number of different hostnames depending on whose profile you're viewing.

    An example of an invalid usecase for wildcard certificates is "oh, now I don't need separate certificates for mail. and www. and irc. anymore, I can just use the same certificate everywhere" -- do not do this, just use a separate certificate for each service as before.

    WSS said: As fast and loose as LE already is, enabling wildcards is going to mean more complete shit with SSL certificates- and I'm talking about malware sites with pretty green checkboxes at the upper left.

    TLS certificates were never meant to provide any assurance about the safety of a website itself. This is 100% snakeoil marketing spread by TLS certificate sellers. It's a non-argument.


    EDIT: To be clear, this is great news, and I've long been waiting for LE to cover the remaining 1% of usecases that couldn't currently be implemented due to certificate request rate limits. I just hope it isn't going to be abused by the 99% that don't need it.

  • stefemanstefeman Member
    edited July 2017

    Theres already fake banks with green SSL bars/text/lock thanks to Let's Encrypt.

    Wildcards won't change anything in that sense.. People are thaught that SSL/HTTPS = Security/Trust. This is being exploited by malware sites now.

    I think the SSL cartel is horrendous, but we already had solution for it like namecheap/ssls.com. The fact there remains some payment gateway requirement and manual job/traceable stuff is what kept majority of the fraud sites from having SSL in the first place.

    It has to cost money and it has to be tracebale to some extend and it also must not be too easy to mass produce, or there will be abuse and fraud.

    Personally my own opinion is that Let's Encrypt made the internet much more risky for a normal average household user. It was never needed.. We had cheap <10 USD SSLs before.

    Thanked by 1WSS
  • WSSWSS Member

    I just thought I'd get it out of the way before @bsdguy came here and started pissing all over LE. I didn't actually expect a huge derail about how much it is a non-op issue. Yes, it will affect some idiots, and yes, you can still buy cheap SSL certificates and see them on malware sites.

    I'll use sarcasm tags next time.

    I don't really like the idea of LE wildcards because, as mentioned already, it sets a bad precedent. Then again, I still don't really like SNI, either, but at least it lets you setup multiple certificates on an IP, rather than just one wildcard certificate across the domain.

  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2017

    joepie91 said: I just hope it isn't going to be abused by the 99% that don't need it.

    What is there to abuse? It's not any more difficult to issue a wildcard than a regular cert. In fact even easier on them, since you're not bombarding their server with requests to validate all 5-10-15 of your subdomains, and instead just get a single cert for all of those.

  • That is good news.
    I don't get what your problem with LE is, they are very good for the internet. It is not their fault that you guys are stupid. There is still EV.

  • stefeman said: Theres already fake banks with green SSL bars/text/lock thanks to Let's Encrypt.

    No, there are no phishing sites with valid EV certs unless the site is entire hijacked.

    stefeman said: I think the SSL cartel is horrendous, but we already had solution for it like namecheap/ssls.com

    No, they still make money out of something that does not cost them anything.

    stefeman said: The fact there remains some payment gateway requirement

    Bitcoin is anonymous. Anonymous CCs are, well, anonymous. Prepaid CCs are issued to anyone with a valid looking ID.

    stefeman said: and manual job/traceable stuff is what kept majority of the fraud sites from having SSL in the first place.

    No CA verifies SSLs manually unless you get flagged like i with certain domains (especially .IR).

    A lot of absolutely not trustworthy organizations have widespread root CAs as well - like Turktrust, a bunch of Chinese gov related companies, some universities...

    stefeman said: Personally my own opinion is that Let's Encrypt made the internet much more risky for a normal average household user

    It's good that you are wrong then, because it did not. In no way. At all.

    If anything the higher SSL adoption, especially by the free implementations in nearly all control panels, did higher the overall security.

    You are somehow under the illusion that the A record verification is less secure than DNS or email which is absolutely not true.

    WSS said: but at least it lets you setup multiple certificates on an IP, rather than just one wildcard certificate across the domain.

    SNI works with wildcard also.

  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    stefeman said: It has to cost money and it has to be tracebale to some extend and it also must not be too easy to mass produce, or there will be abuse and fraud.

    Personally my own opinion is that Let's Encrypt made the internet much more risky for a normal average household user. It was never needed.. We had cheap <10 USD SSLs before.

    I don't think you understand what TLS certificates are for. They exist to prove control of a domain, so as to verify the legitimacy of a presented keypair for transport encryption. That's the only purpose. Everything beyond that is fluff invented out of thin air by (commercial) third parties.

    Given that purpose, it is absolutely not in the slighest desirable that certificates cost anything at all. Neither traceability or cost are useful properties for a TLS certificate - it's simply out of scope for what certificates are meant to do, and actively harms adoption.

    Complaining that TLS certificates are handed out to untrustworthy sites, is like complaining that your blender doesn't catch burglars - it was never its purpose in the first place, and is out of scope. If you want to catch burglars, there are separate solutions for that, and the same applies for preventing access to harmful sites (eg. Safe Browsing).

    rm_ said: What is there to abuse? It's not any more difficult to issue a wildcard than a regular cert. In fact even easier on them, since you're not bombarding their server with requests to validate all 5-10-15 of your subdomains, and instead just get a single cert for all of those.

    I don't mean "abuse" in the "affect other parties negatively" sense, rather in the sense of using things for inappropriate purposes. It's very likely that people will interpret this as "oh now I only need one certificate for all my services", which will actively harm the security of their services without them realizing it.

    Wildcard certificates aren't meant to be used for multiple services, but if somebody doesn't understand the mechanics behind the different kinds of certificates and how their exact level of protection varies, it will certainly look convenient.

    EDIT: To clarify: by using a wildcard certificate for multiple independent services, you create a single point of failure where a single leaked certificate from any of your servers can be used to impersonate any of your other services, regardless of whether the attacker has access to the server that they run on, completely breaking transport encryption for everything.

    That's why you don't want to use wildcard certificates for multiple services. They apply to everything under your domain.

    Thanked by 1Aidan
  • stefemanstefeman Member
    edited July 2017

    I know what they are for.. DV Certificates are for exactly as you described, too bad majority of the internet users do not know this.. When their bank and news tells them to just check for https and green lock to determine that the website is not fake, disregarding the checking of the actual domain name in question, it's just making it easier/faster for fraudsters to make use of this information in order to gain trust of the users.

    While I agree, this belief needs to change, this does not change the current situation right now, therefore for an average internet user that visists 3-10 websites a month, it's much more risky just because there are fake bank sites with LE certificate posing as legit ones via emails and ads.

    DV certificates do not say anything about trustworthiness, but try asking yourself, how many people does actually even know that there are many different SSL types rather than one which to trust? Anyone that would use this forum or related expert sites obviously knows of these stuff, but we're less than 0.1% of the userbase.

    Thanked by 1ranpha
  • joepie91joepie91 Member, Patron Provider

    @stefeman said:
    I know what they are for.. DV Certificates are for exactly as you described, too bad majority of the internet users do not know this.. When their bank and news tells them to just check for https and green lock to determine that the website is not fake, disregarding the checking of the actual domain name in question, it's just making it easier/faster for fraudsters to make use of this information in order to gain trust of the users.

    While I agree, this belief needs to change, this does not change the current situation right now, therefore for an average internet user that visists 3-10 websites a month, it's much more risky just because there are fake bank sites with LE certificate posing as legit ones via emails and ads.

    And that belief isn't going to change until people learn the hard way, and companies no longer have the option to spin myths about green locks meaning a site is safe. There's absolutely no fault on Let's Encrypt here, the fault lies entirely with those parties who have been spreading crap about green locks throughout the years.

    This situation was never going to change in any other way than by force.

  • stefemanstefeman Member
    edited July 2017

    @joepie91 said:

    @stefeman said:
    I know what they are for.. DV Certificates are for exactly as you described, too bad majority of the internet users do not know this.. When their bank and news tells them to just check for https and green lock to determine that the website is not fake, disregarding the checking of the actual domain name in question, it's just making it easier/faster for fraudsters to make use of this information in order to gain trust of the users.

    While I agree, this belief needs to change, this does not change the current situation right now, therefore for an average internet user that visists 3-10 websites a month, it's much more risky just because there are fake bank sites with LE certificate posing as legit ones via emails and ads.

    And that belief isn't going to change until people learn the hard way, and companies no longer have the option to spin myths about green locks meaning a site is safe. There's absolutely no fault on Let's Encrypt here, the fault lies entirely with those parties who have been spreading crap about green locks throughout the years.

    This situation was never going to change in any other way than by force.

    So rather than fix the problem first, let's just hand the weapons of destruction to the hands of terrorists hoping people get wiser? Sure, things are changing fast now, but what at cost?

    The overall increase of SSL was happening fast anyway due cheap certificates, LE just gave "trust" to everyone free for any usage including abusers that mass their fraud sites now easier than ever.

  • @stefeman said:
    Theres already fake banks with green SSL bars/text/lock thanks to Let's Encrypt.

    >

    Personally my own opinion is that Let's Encrypt made the internet much more risky for a normal average household user. It was never needed.. We had cheap <10 USD SSLs before.

    How would this make the web more risky? If you trust anything with a certificate on it sure, but that has nothing to do with SSL making things risky. That's just the ignorance of the average user.

    Speaking of the average user, I doubt they actually know what the 'green lock' is for and if they even notice it or actually look for it at all.

    I personally think LE is a great initiative and I can see this moving forward. We're all bickering about it but at the end of the day fact is that in a couple of years every website will have a certificate, either payed for or free.

  • stefemanstefeman Member
    edited July 2017

    @Saragoldfarb said:

    @stefeman said:
    Theres already fake banks with green SSL bars/text/lock thanks to Let's Encrypt.

    I personally think LE is a great initiative and I can see this moving forward. We're all bickering about it but at the end of the day fact is that in a couple of years every website will have a certificate, either payed for or free.

    I'm all for encrypted internet, but this is the wrong way in my opinion. It just sacrifices all dumb users for the sake of a fast change. If theyre gonna continue, at least make their abuse department faster.. it took them 2 weeks to revoke a cert to a fake Nordea banksite I reported.

  • raindog308raindog308 Administrator, Veteran
  • stefeman said: So rather than fix the problem first, let's just hand the weapons of destruction to the hands of terrorists hoping people get wiser? Sure, things are changing fast now, but what at cost?

    To stay within your example - any terrorist can buy this weapons in no time.

  • stefemanstefeman Member
    edited July 2017

    @William said:

    stefeman said: So rather than fix the problem first, let's just hand the weapons of destruction to the hands of terrorists hoping people get wiser? Sure, things are changing fast now, but what at cost?

    To stay within your example - any terrorist can buy this weapons in no time.

    Why would they buy it when they can have it for free.. in mass quantities? They're over deciding whetever to buy or not.. they can just get one for free.. and very easily.. and this changes things as we see in explosiveness of fraud sites with LE certs.

    In fact they don't even have to worry about bad investments.. as we know, they cycle domains a lot due reports and user flagging. Buying SSL for all fraud domains would take more cash than they make in year, but with LE they'll have just that for all of their domains without any cost in time or money.

  • joepie91joepie91 Member, Patron Provider

    stefeman said: So rather than fix the problem first,

    Then please tell me how you plan to "fix the problem" without forcing the hand of those causing it. People have been trying this for years without success, because it's too profitable to keep spreading misinformation.

    stefeman said: it took them 2 weeks to revoke a cert to a fake Nordea banksite I reported.

    They shouldn't even revoke that certificate.

  • stefemanstefeman Member
    edited July 2017

    I would fix the problem with media campaign and time and cheap certificates instead of free stuff to abuse, while majority of the people trust/relies on the technology.

    @joepie91 said:
    They shouldn't even revoke that certificate.

    So you are saying that it's okay to get a certificate for a phishing website intended to steal funds/personal information by borrowing the name of another entity/company? On top of that it was part of an email scam campaign attempted to gain access to victim's bank accounts.

    Not to say about the clear ToS Let's Encrypt has about taking down phising sites? Are you running such operation yourself then, or why are you saying that?

    How would you feel if I registered similar domain to your hosting company and got SSL for it and started targeting your users with your own template to make harm to your customers in your name? ofc none of them would be stupid enough to fall for it, but if you were in another industry area, you'd be fucked or at least annoyed for me using your name to scam people.

  • EdmondEdmond Member

    It's a nice thing that they'll make LE wildcard friendly, thought they weren't going to do such thing and I'd just have to stick with a list of subdomains in my cert...

    They should make getting LE certificates a bit harder, like maybe your account needs to be at least two weeks old and requires text verification?

  • @stefeman said:

    @William said:

    stefeman said: So rather than fix the problem first, let's just hand the weapons of destruction to the hands of terrorists hoping people get wiser? Sure, things are changing fast now, but what at cost?

    To stay within your example - any terrorist can buy this weapons in no time.

    Why would they buy it when they can have it for free.. in mass quantities? They're over deciding whetever to buy or not.. they can just get one for free.. and very easily.. and this changes things as we see in explosiveness of fraud sites with LE certs.

    In fact they don't even have to worry about bad investments.. as we know, they cycle domains a lot due reports and user flagging. Buying SSL for all fraud domains would take more cash than they make in year, but with LE they'll have just that for all of their domains without any cost in time or money.

    They are not weapons. It's like saying "don't sell safes because people can hide drugs in them" or "don't encrypt data because the terrorists can use it transmit their secret c0des". Yes, you can hide drugs in safes, but there are other purposes for safes... Yes, you can transmit secret bombing plans over an encrypted line, but there are other reasons for data encryption.

    Yes, you can get an SSL cert for your fraud website, but people need certs for other things as well...

    As a high school student, I would rather not pay $100+ dollars for a wildcard cert when I need one... I just don't have that kind of money.

  • joepie91joepie91 Member, Patron Provider

    stefeman said: I would fix the problem with media campaign and time and cheap certificates instead of free stuff to abuse, while majority of the people trust/relies on the technology.

    Been tried, doesn't work.

    stefeman said: So you are saying that it's okay to get a certificate for a phishing website intended to steal funds/personal information by borrowing the name of another entity/company? On top of that it was part of an email scam campaign attempted to gain access to victim's bank accounts.

    Except you're not, from a TLS point of view. Again, a DV certificate only assures the client that the server they are talking to is controlled by the same person that also controls the domain. This has nothing to do with "another entity/company", and is therefore out of scope, and not a valid reason to revoke anything - the cert is not compromised nor was it incorrectly issued.

    Now if an EV certificate was issued incorrectly to an impersonator, or a DV certificate for the real bank's domain were issued, sure, that would be valid reasons for revocation. But in this case, a certificate for somephishingsite.com was issued to a server controlled by the same person who controls the somephishingsite.com domain, and therefore the certificate is valid and should not be revoked.

    What's on the site is irrelevant from a TLS perspective. The only purpose of TLS is to encrypt the connection and secure it from MITM attacks.

    stefeman said: Not to say about the clear ToS Let's Encrypt has about taking down phising sites? Are you running such operation yourself then, or why are you saying that?

    I'm saying that because I actually understand how TLS works and how it is designed, and because revoking certificates of phishing sites is a dangerous slippery slope with unclear legal definitions that very quickly turns into political issues. TLS certificates of controversial sites have been revoked in the past for ToS-related reasons.

    TLS should remain strictly a technical security measure providing transport encryption. It shouldn't become an umbrella for all kinds of political access control mechanisms. Therefore, any kind of revocation, for any reason other than "not issued in accordance with what TLS is designed for", is undesirable, regardless of the circumstances.

    And no, I do not run phishing sites. Even if I were ethically okay with it, I'd be a moron to do so, given how public I am about my identity.

  • stefemanstefeman Member
    edited July 2017

    I do get your point, but we are fucking the comma here. Take Nordea.fi for example.. If there is a domain Nordeaa.fi with exactly the same website with clear intention of using the SSL to represent the original site, would it not be justified to revoke that certificate because of the sole reason of intended abuse even if DV only assures the validation of Nordeaa.fi and should not be hold as related to Nordea.fi

    In the case of somesite.com and someesitee.com where both websites have different purpose and outlook with no relation to each other from either side, then ofc I would support for not revoking certificate from either site even if one requests so by finding out the other.

  • hzrhzr Member
    edited July 2017

    stefeman said: So you are saying that it's okay to get a certificate for a phishing website intended to steal funds/personal information by borrowing the name of another entity/company? On top of that it was part of an email scam campaign attempted to gain access to victim's bank accounts.

    A domain is a domain, a DV validates that the requestor has appropriate access to that domain and nothing more. If someone owns paypallegit.xxx and requests a cert for it and can demonstrate proper control over the domain, it can and should be issued.

    If PayPal for example gets that domain seized/taken, then they can request a revocation as the new owner of the domain after completing a challenge-response demonstrating control.

    stefeman said: I do get your point, but we are fucking the comma here. Take Nordea.fi for example.. If there is a domain Nordeaa.fi with exactly the same website with clear intention of using the SSL to represent the original site, would it not be justified to revoke that certificate because of the sole reason of intended abuse even if DV only assures the validation of Nordeaa.fi and should not be hold as related to Nordea.fi

    When Nordea.fi gets Nordeaa.fi seized and take control of the domain, they can validate they own the domain and revoke certs. If it's from LE, revocation is automated after you demonstrate you control the domain it's issued for. Intention has zero matter, only access to the domain.

    Thanked by 1nulldev
  • stefeman said: would it not be justified to revoke that certificate

    No, the FI registry should disable the domain, as their legal obligation is. Assuming the hosting provider will not before them anyway.

  • @stefeman said:
    I do get your point, but we are fucking the comma here. Take Nordea.fi for example.. If there is a domain Nordeaa.fi with exactly the same website with clear intention of using the SSL to represent the original site, would it not be justified to revoke that certificate because of the sole reason of intended abuse even if DV only assures the validation of Nordeaa.fi and should not be hold as related to Nordea.fi

    Without court order LE shouldn't take any action

This discussion has been closed.