Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Let's Encrypt Wildcard Certificates Coming in January 2018 - Page 3
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Let's Encrypt Wildcard Certificates Coming in January 2018

13

Comments

  • ZerpyZerpy Member

    @yokowasis said:
    Cloudflare has issued Free Wildcard SSL For Sometimes now. Why people raging when LE do it.

    Because Let's Encrypt certs is installed on your own servers and not some anti-ddos-ish / cdn-ish provider.

    So it's great news for us people that do not like CloudFlare for various reasons :-) Such as the fact they decrypt traffic on their edges.

  • jvnadrjvnadr Member

    @joepie91 @bsdguy Get a room :)

  • yokowasis said: No Source, Take my word for it. Moreover it expire years from now

    nope that not wildcard SSL, to make sure check your Common Name, max expired date SSL is 3 year, your screenshot show too far away to future :-)

  • ZerpyZerpy Member

    @sibaper said:

    yokowasis said: No Source, Take my word for it. Moreover it expire years from now

    nope that not wildcard SSL, to make sure check your Common Name, max expired date SSL is 3 year, your screenshot show too far away to future :-)

    Edge certificates are wildcard - feel free to verify here: https://cdn-traffic.com/

    The certificate that @yokowasis shows is their origin certificates and are indeed wildcard certificates as well... but they're signed by CloudFlare and would not be validated by any decent browser anyway - but ya the edge ones are issued by Comodo, and as you can see - they put a whole lot of domains on the same cert:

    Thanked by 1sibaper
  • Zerpy said: Edge certificates are wildcard - feel free to verify here: https://cdn-traffic.com/

    thanks for pointing that

  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    Fuckssake man, know when to cut your losses.

    @bsdguy said:
    @joepie91

    libcrypto implements pretty much all of the crypto in []ssl. Moreover libcrypto contains all that is needed for public key exchange and other vital elements for ssl/tls. One could even say that []ssl is but a library wrapper around libcrypto offering some ssl functionality ssh (and many others) doesn't need but web related stuff needs.

    No, it doesn't implement "SSL functionality". It "provides the fundamental cryptographic routines used by libssl" (source) which, you guessed it, are generic cryptographic routines that are not inherently related to SSL but happen to be used in it and are often treated as the default implementation on Linux systems.

    It's a generic cryptography library, that implements routines that are used by both SSH and SSL - but that doesn't mean that SSH "uses SSL". Perhaps a diagram will help you understand:

    While you continue to dabble in protocols theory and (rather uninformed) ssl/tls evangelization, we do have real and serious problems in the field of IT security.

    To offer just one example (that happens to currently be in the news) -> https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html

    That problem class is related to both crypto (largely being absent or primitive) and to scada being a security nightmare.

    Okay? This has absolutely zero to do with TLS whatsoever.

    Another and deeper problem class is that we have to choose between either algorithms that are well established and understood but based on only 2 security reductions, namely rsa and ecc, or rather new algorithms that unlike the current ones are supposed to be post-quantum secure but are not yet well enough understood, let alone established (e.g. lattice or hash based crypto).
    And as if that weren't frightening enough, vast bodies of security related software (like servers and browsers) are riddled with quite questionable implementations and lots of errors yet to be found, some of them fatal.

    Again, unrelated to TLS.

    You see, I shit on the protocols and standards you love to wave around. Simple reason: they are worthless unless they are a) formally verified and b) properly specified, modelled, and implemented in a verifiable way.
    Guess what: tls 1.3 is the first tls version that has at least been properly specified.

    Source please.

    Without being formally specified and modelled a protocol is but toilet paper. Besides some (laudable) security fanatics who work on implementing tls in F star (which, however, is practically quite useless) tls is implemented once more in C, a language that can not possibly be used to create verifiable code.

    No, it isn't. OpenSSL is implemented in C, not "TLS". TLS is a protocol of which many implementations exist. I don't know how many times I need to repeat this to you before the penny drops.

    So forgive me if my patience with Mr. "crypto is my hobby" is rather limited. If you really care more than a rats ass about security you should actually be happy about people like me.

    Why would I be? You're not actually arguing anything that's constructive towards improving security, you're just blathering on about your completely flawed understanding of how modern TLS stacks work, drawing conclusions from it that make absolutely no sense, and bragging about how supposedly qualified you are.

    If I care about security - which, for the record, I do, or I wouldn't be here debunking your bullshit - then the value of your contributions approximates zero. You're all talk and no substance, and making factually incorrect proclamations about current tooling isn't going to improve on that tooling.

    But, you see, patiently discussing with you and ever so slooooowly moving you towards the lights might be a laudable goal; unfortunately, however, there are medical systems, weapon systems, air control systems, nuclear systems and the like waiting to be taken out of the danger zone.

    Again, totally unrelated to TLS, and drop the arrogance. It's of zero value in a technical discussion.

  • Cloudflare has CA Certificate. We shouldn't be worried about it getting invalidated by popular browser. And I am using it myself, I have no problem whatsoever. And yeah, the certificated itself is shared. But Free Wildcard SSL is Free Wilcard SSL. It served it purpose. The only downside is you must use the orange cloudflare, otherwise it won't work.

  • Good news! At first when LE went public I didn't use it and wanted to wait and see. At the beginning my doubts were validated by some really funny incidents on sites using LE. It matured however and I now love LE. WC SSL from LE will be awesome. Won't have to bother around anymore with getting new certificates for every new domain.

  • nulldevnulldev Member
    edited July 2017

    @joepie91 @bsdguy
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

  • @nulldev said:
    @joepie91
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    I actually agree with @joepie91 on these points, and the reason I haven't voiced my opinion is because he is making much better arguments than I ever could.

    Thanked by 1maverickp
  • nulldevnulldev Member
    edited July 2017

    @teamacc said:

    @nulldev said:
    @joepie91 @bsdguy
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    I actually agree with @joepie91 on these points, and the reason I haven't voiced my opinion is because he is making much better arguments than I ever could.

    Obviously some people do agree with joepie91 bsdguy but the fact that Let's Encrypt is able to do what they do is because the majority do not agree.

  • @nulldev said:

    @teamacc said:

    @nulldev said:
    @joepie91
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    I actually agree with @joepie91 on these points, and the reason I haven't voiced my opinion is because he is making much better arguments than I ever could.

    Obviously some people do agree with joepie91 but the fact that Let's Encrypt is able to do what they do is because the majority do not agree.

    I do not see your point unless cloudflare is filtering out the sarcasm tags

    Thanked by 1caracal
  • nulldevnulldev Member
    edited July 2017

    @teamacc said:

    @nulldev said:

    @teamacc said:

    @nulldev said:
    @joepie91 @bsdguy
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    I actually agree with @joepie91 on these points, and the reason I haven't voiced my opinion is because he is making much better arguments than I ever could.

    Obviously some people do agree with joepie91 bsdguy but the fact that Let's Encrypt is able to do what they do is because the majority do not agree.

    I do not see your point unless cloudflare is filtering out the sarcasm tags

    What I'm trying to say is: "Let's Encrypt" obviously does not verify that a domain belongs to a specific legal entity before issuing a certificate for that domain. Nor does Cloudflare (who also gives out free SSL certs). Let's Encrypt is backed by several large companies and has millions of users. Same as Cloudflare.

    In conclusion, from these facts, I believe I can assume that since Let's Encrypt and Cloudflare do not verify that a domain belongs to a specific legal entity (for which they issue certificates for), they do not believe that SSL certificates should validate that a system belongs to specific legal entity. If they did, they would validate the domains with the corresponding legal entities before certificate issuance or else their certificates would be worthless.

    The fact that Let's Encrypt has been authorized to begin issuing wildcard certificates further strengthens my conclusion.

  • joepie91joepie91 Member, Patron Provider

    @nulldev said:
    @joepie91
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    Uh, you're addressing the wrong person. It's @bsdguy who claimed that "SSL certs are designed to validate that a system belongs to a legal entity". Parts of my ongoing arguments are to dispel that myth and a number of other (more dangerous) myths.

  • nulldevnulldev Member
    edited July 2017

    @joepie91 said:

    @nulldev said:
    @joepie91
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    Uh, you're addressing the wrong person. It's @bsdguy who claimed that "SSL certs are designed to validate that a system belongs to a legal entity". Parts of my ongoing arguments are to dispel that myth and a number of other (more dangerous) myths.

    Whoops, your right. I tagged the wrong guy. It's supposed to be @bsdguy. Fail, editing previous posts to reflect this epic fail.

    Thanked by 1joepie91
  • joepie91joepie91 Member, Patron Provider

    @nulldev said:

    @joepie91 said:

    @nulldev said:
    @joepie91
    What's the point of all this bickering? In the end SSL/TLS may be badly implemented but your definition: "SSL certs are designed to validate that a system belongs to a legal entity" is clearly not accepted by the majority of people. It's not getting any closer either.

    Give it up man, you are fighting a losing battle here.

    Uh, you're addressing the wrong person. It's @bsdguy who claimed that "SSL certs are designed to validate that a system belongs to a legal entity". Parts of my ongoing arguments are to dispel that myth and a number of other (more dangerous) myths.

    Whoops, your right. I tagged the wrong guy. It's supposed to be @bsdguy. Fail, editing previous posts to reflect this epic fail.

    No worries, I'd imagine it's easy to lose track of people when novel-sized replies start appearing :)

    Thanked by 1vimalware
  • bsdguybsdguy Member

    @joepie91 said:
    It's a generic cryptography library, that implements routines that are used by both SSH and SSL - but that doesn't mean that SSH "uses SSL". Perhaps a diagram will help you understand:

    $ apt-cache search libcrypto
    ...
    libssl-dev - Secure Sockets Layer toolkit - development files
    libssl-doc - Secure Sockets Layer toolkit - development documentation
    libssl1.1 - Secure Sockets Layer toolkit - shared libraries
    libssl1.0-dev - Secure Sockets Layer toolkit - development files
    libssl1.0.2 - Secure Sockets Layer toolkit - shared libraries
    r-cran-openssl - GNU R toolkit for encryption, signatures and certificates based on OpenSSL
    libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
    
    $ apt-file search libcrypto.so
    libssl-dev: /usr/lib/x86_64-linux-gnu/libcrypto.so
    libssl1.0-dev: /usr/lib/x86_64-linux-gnu/libcrypto.so
    libssl1.0.2: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2
    libssl1.1: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
    

    Again, totally unrelated to TLS, and drop the arrogance. It's of zero value in a technical discussion.

    I don't see a technical discussion; you simply lack the qualification. You talk as if you were someone in security yet do not even know about tls 1.3 formal spec ... ridiculous.

    @William said:
    This is a CA code bug, not a security issue of TLS/SSL.

    Well, obviously it's not as the client side plays an important part, too.

    As for the rest: Well, good luck with theoretically "secure" ssl/tls. Here in the real world security depends on implementations.

    @all

    As the point has been reached where "the majority" and "big companies are behind it, so it must be good" are used as an argument I end that discussion for my part and wish you all good luck with LE, big companies, and the majority (btw: what's the take of insects on security? After all they are far more than we are).

  • joepie91joepie91 Member, Patron Provider

    [snipped apt results]

    And what is your point here, exactly? None of that output contradicts what I just explained to you - unless you're trying to imply that the package being named libssl means that it just contains libssl (which it does not, and is a Debian packaging quirk).

    Seriously, you're grasping at straws here to try and defend your claim that even a small amount of research would show is total nonsense. I've even linked you the page on the OpenSSL site that explains it.

    bsdguy said: I don't see a technical discussion; you simply lack the qualification.

    You keep going on about "qualifications", yet 1) you're continuously making provably false statements showing an extremely poor understanding of the subject matter, and 2) you've never even asked for my qualifications.

    And seriously, do you really believe that jabbering on about "qualifications" somehow makes factually wrong statements correct or vice versa? You've made a considerable pile of patently false claims, it's as simple as that. No amount of "qualifications" will change that, and if you're unable to have a technical discussion on its own merits, you're not worth the qualifications you claim to have.

    bsdguy said: You talk as if you were someone in security yet do not even know about tls 1.3 formal spec ... ridiculous.

    It has nothing to do with me knowing or not knowing things. It has to do with me expecting you to back up your claims, which you are currently failing to do. The one making the claim bears the burden of proof.

  • bsdguybsdguy Member

    @joepie91 said:

    It has nothing to do with me knowing or not knowing things. It has to do with me expecting you to back up your claims, which you are currently failing to do. The one making the claim bears the burden of proof.

    Wrong again. Obviously you lack experience in academics and engineering. Established knowledge in a professional field must not be proven but is considered to be known.

    Anyway, enjoy what you seem to consider a victory.
    I simply do 2 things: a) I'm continuing to work on sound and safe software, and b) I'm enjoying the next big bad surprise in your funny "ssl/tls/LE is great and secure" universe ;)

  • joepie91joepie91 Member, Patron Provider

    bsdguy said: Obviously you lack experience in academics and engineering. Established knowledge in a professional field must not be proven but is considered to be known.

    You are kidding, right? Please tell me you're kidding.

    This is just the old "that's common sense" non-argument repackaged in a more authorative-sounding form. If it really is established knowledge, it should be trivial for you to support your claim. The fact that you refuse to do so, tells me enough.

  • So, @bsdguy decided to grab about how SSL sucks because every SSL should actually be an EV SSL, that verifies the company/organization? (I need a TL;DR)

  • WSSWSS Member

    JESUS CHRIST GUYS JUST FUCK AND GET OVER IT. I need some attention, too.

  • huntercophuntercop Member
    edited July 2017

    image

    note from mod: I tried to edit your post because your image was broken, but even with a proper img src tag, it doesn't work.

  • raindog308raindog308 Administrator, Veteran

    luissousa said: I need a TL;DR

    1. Very soon even your toaster will have an SSL cert because now you can wildcared LE. LE certs will be EVERYWHERE. Your mother will have one. Your navel will have one. Every time you flush the toilet, you'll be flushing away SSL certs but no one will care because they're going to be like electrons now.

    2. But this also means your bank is actually a web site in Latveria run by Dr. Doom.

    3. So is LowEndTalk. Didn't check the padlock did you? Fool! I warned you all.

    4. People had sex with punctuation in this thread. Ironically, it was not with a colon. Fortunately, the punctuation was not on its period.

    5. The .fi registry has partnered with the Russian Mafia on numerous occasions to run phishing campaigns. Bastards.

    6. You should all be using libressl. (OK no one said that here but consider it a PSA about openssl, which ironically is not written by the same people who wrote open-everything-else. Man this thread is just dripping with irony.)

    7. Some people think EV certs are a big scam because they don't check that the owner is who he claims to be and is the owner of a given domain even though that's exactly what EV issuers do and in fact it's kind of a drawn-out pain in the colon (not the punctuation in this case).

    8. LE is merely a puppet, dancing to the strings of the sinister global browser mafia. We know this because there is reason to believe this.

    9. Apparently LE is unnecessary because we should all just be using our own self-signed certificates because that protects us against MITM attacks and in fact protects us better than Let's Encrypt.

    10. Some people just opt out of the reality consensus.

    11. @stefeman achieved self actualization because his greatest shitstorm dreams were realized. I hope this is just a preliminary effort because the guy's got talent.

    12. @jarland was compared to Einstein, though most of us read that as Einstein being compared to @jarland, and laughed derisively. I mean, give me a break...it's a provable fact that Einstein never wrote shell scripts, never created iptables rules, and never even installed Linux once so comparing him to @jarland is pretty laughable.

    13. @jarland personally delivered every AOL CD ever made, and long after the planet has turned into a hellish greenhouse-gas-powered flesh-melting furnace, his fingerprints will still be buried in landfills for another 20,000,000 years. He is mankind's legacy.

    14. @jarland's career has gone in a better direction since he was 16. Most of the people he deals with now can find their keyboards.

    15. Ad hominems still don't win arguments on the Internet.

    16. Discursive seppuku was observed.

    17. I told you this thread was dripping with irony.

    18. @joepie91's domain is still cryto.net

    19. ssh uses ssl, except it doesn't. Also, there was once a bug that mortals were not privvy to and this makes C, browsers, and pretty much the entire Internet forever unusable.

    20. There was some scatplay talk involving protocols, but you'll have to read that part on your own because I don't feel like going there.

    21. @Cartman loves Let's Encrypt so much they're getting married. Mazel Tov, @Cartman!

    22. Opinion: the comment style pioneered by Pascal was, is, and shall always be ugly. It's Wirthless.

    23. @bsdguy is riding into the fucking danger zone.

    24. We have to replace all the C code because it's not l33t enough.

    25. Because of CloudFlare, you might think you're going to carol.host but actually be going to chuck.host. Doors have been opened and lives have been changed due to experiences like that.

    26. @WSS needs to spoon.

    27. Haribo Happy Cola gummi candies are awesome. I ate a whole bag of them while reading this thread and now I feel kind of sick but also kind of good.

    Sorry, that was too long.

    tl;dr of the tl;dr: You are not formally statically verified and are hence you are scum.

  • WSSWSS Member

    @raindog308 lets cuddle

    Thanked by 1luissousa
  • NanoG6NanoG6 Member

    @raindog308 your summary even longer than the originals
    I only read the tl;dr of the tl;dr

  • WSSWSS Member

    i am so totally registering bsdg.uy

  • williewillie Member

    bsdguy said: I'm continuing to work on sound and safe software,

    When will we see some of it?

  • @raindog308 said:

    luissousa said: I need a TL;DR

    1. Very soon even your toaster will have an SSL cert because now you can wildcared LE. LE certs will be EVERYWHERE. Your mother will have one. Your navel will have one. Every time you flush the toilet, you'll be flushing away SSL certs but no one will care because they're going to be like electrons now.

    2. But this also means your bank is actually a web site in Latveria run by Dr. Doom.

    3. So is LowEndTalk. Didn't check the padlock did you? Fool! I warned you all.

    4. People had sex with punctuation in this thread. Ironically, it was not with a colon. Fortunately, the punctuation was not on its period.

    5. The .fi registry has partnered with the Russian Mafia on numerous occasions to run phishing campaigns. Bastards.

    6. You should all be using libressl. (OK no one said that here but consider it a PSA about openssl, which ironically is not written by the same people who wrote open-everything-else. Man this thread is just dripping with irony.)

    7. Some people think EV certs are a big scam because they don't check that the owner is who he claims to be and is the owner of a given domain even though that's exactly what EV issuers do and in fact it's kind of a drawn-out pain in the colon (not the punctuation in this case).

    8. LE is merely a puppet, dancing to the strings of the sinister global browser mafia. We know this because there is reason to believe this.

    9. Apparently LE is unnecessary because we should all just be using our own self-signed certificates because that protects us against MITM attacks and in fact protects us better than Let's Encrypt.

    10. Some people just opt out of the reality consensus.

    11. @stefeman achieved self actualization because his greatest shitstorm dreams were realized. I hope this is just a preliminary effort because the guy's got talent.

    12. @jarland was compared to Einstein, though most of us read that as Einstein being compared to @jarland, and laughed derisively. I mean, give me a break...it's a provable fact that Einstein never wrote shell scripts, never created iptables rules, and never even installed Linux once so comparing him to @jarland is pretty laughable.

    13. @jarland personally delivered every AOL CD ever made, and long after the planet has turned into a hellish greenhouse-gas-powered flesh-melting furnace, his fingerprints will still be buried in landfills for another 20,000,000 years. He is mankind's legacy.

    14. @jarland's career has gone in a better direction since he was 16. Most of the people he deals with now can find their keyboards.

    15. Ad hominems still don't win arguments on the Internet.

    16. Discursive seppuku was observed.

    17. I told you this thread was dripping with irony.

    18. @joepie91's domain is still cryto.net

    19. ssh uses ssl, except it doesn't. Also, there was once a bug that mortals were not privvy to and this makes C, browsers, and pretty much the entire Internet forever unusable.

    20. There was some scatplay talk involving protocols, but you'll have to read that part on your own because I don't feel like going there.

    21. @Cartman loves Let's Encrypt so much they're getting married. Mazel Tov, @Cartman!

    22. Opinion: the comment style pioneered by Pascal was, is, and shall always be ugly. It's Wirthless.

    23. @bsdguy is riding into the fucking danger zone.

    24. We have to replace all the C code because it's not l33t enough.

    25. Because of CloudFlare, you might think you're going to carol.host but actually be going to chuck.host. Doors have been opened and lives have been changed due to experiences like that.

    26. @WSS needs to spoon.

    27. Haribo Happy Cola gummi candies are awesome. I ate a whole bag of them while reading this thread and now I feel kind of sick but also kind of good.

    Sorry, that was too long.

    tl;dr of the tl;dr: You are not formally statically verified and are hence you are scum.

    I really missed the Einstein and @jarlands part.

    I think we should name your new style tho! Maybe a TS;ML : too short, made it longer

    Thanked by 1joepie91
  • ricardoricardo Member
    edited July 2017

    raindog308 said: We have to replace all the C code because it's not l33t enough.

    This is true. Other languages written by the Gods are Turing complete and agree with the basics axioms of mathematics. C is written with breadsticks. The machine code it makes is 'just silly'.

    It would've been amusing to hear the logic behind the statement but I get the feeling it'll never come.

This discussion has been closed.