New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Dont waste money on multi-year certificates. They will stop working soon!
https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/
Trying this tutorial with Ubuntu, then will try same with CentOS, will post the results.
Thanks to all. This is what LET is
Yeah, it certainly is different with the certs only lasting 3 months. Luckily there are tools like acmebot, getssl, and acme.sh that have way more features than certbot and would make deploying and managing a large network much easier.
LET = 50 requests per a week.
For huge system (as is our HPE iLO) it is really hard to implement. But not impossible...
Cheers
GO + GET + SSL = GoGetSSL(.)com
I am confirming here, with acme.sh and cloud flare dns, the actual effort is about 5 to 10 minutes,
with below env variables.
CF_Token
CF_Account_ID
I need to schedule cron tab for renewal, which we will explore sooner. Thanks all for your great insight and lecture.
LET === User Enlightened Territory
Why? Tell us ...
You say that based on what facts?
I suggest that you either extend your statement to "all certs are for people who are too stupid" or that you accept that there are differences. And some companies and organisations actually want to publicly make the statement "We don't only have our domain [access] verified but also us, the legal entity" and possibly even in an extended version.
That said, Yes, I also doubt the whole PKI based system. A DV is utterly useless, an OV isn't much more useful (because their "verification" is rarely actually verifying anything) and even an EV isn't worth a whole lot although it's the one "verification" that at least comes close to something like a verification.
Plus, the whole shebang is based on crappy software.
But then don't forget what the real reason for the whole show was. It was the fact that doing business via/on the internet turned out to be hard because people didn't trust "that new thing", so there was a need for all the banks, merchants, etc. to convince people that they can buy, do banking, etc. via/on the internet without security risk.
In other words, the whole PKI was basically just what psychologists call an anchor, a useful device for what can (and probably should) be seen as a large PsyOP. The target, at least the primary target, was not to create or enhance security but to make people trust "that new thing", the internet.
Just a curious question, what is the actual reason EV and OV not supported by browsers anymore?
no need to set crontab manually, lets acme.sh do that for you.
run
acme.sh list
to list certsSorry, I did not get it, do you mean install script setup automatically, it will renew automatically? That will be super awesome.
They are still 'supported', there's just a handful of implementation problems, like regional company names, the fact that no normal 'non technical' user checks the cert details, etc.
For example: you can register the company PayPal Inc and get a legitimate EV cert issued - because you own the company - it's just not the same jurisdiction as the actual one.
The list really does go on.
This is just from the top of my head. I'm sure if you Google it you'll find even more reasons.
I think jsg is of the type that thinks the entire CA system and root chain of trust 'commercially' is all sorts of money printing bullshit and sites should be free to set up their own CA/pin their own keys and provide them in a separate channel and not have to pay a moneyprinting cartel for "trustworthy" certificates
I'll pick out just some basic point ...
free != better
Well, I've seen quite a lot of the contrary. One of the major problems with LE is related to short lifetime (of certs), getting a LE cert being automated, etc.
Which btw. also leads back to point 1: In fact LE is not free for many because they need time and efforts to set their system up. Many in fact prefer to pay 5$ to 10$ per year over the LE hassle.
Does it really? Hint 1: is the LE infrastructure and processes really secure? Hint 2: there are quite many "better/easier than LE's acme" scripts out there which actually get used.
The most important point is another one though: why do we want PKI and CA issued certs in the first place? The reason is NOT that we want encrypted connections; we can have those without certs and PKI, I do that almost daily.
The reason for PKI (and hence CAs and certs) is something entirely different. It is the fact that we want to be sure about really connecting to (or even getting contacted by) who we think the other side is.
So, what can a LE cert assure? The answer: a LE cert can assure us that at some point in time and for a short period of time some entity - whose identity is not verified - was technically in control of the domain and/or host.
Note that we do very often not know who that entity is nor whether it's still in control of the domain and/or host.
To drive that point home consider a case where a domain registrar (or en evil person there) automatically gets a LE cert for any domain sold during the sales process. There is little to nothing in place to protect a domain buyer from that And btw. as the costs are optimal (zero) you might want to think again about some of your assumptions.
I personally use both, LE certs and purchased ones and I'm not too biased in favour of either. What's driving my decision? I use LE for anything where a cert is needed basically just to shut complaining browsers up. And I used purchased certs in the few cases where I want to offer some basic assurance, typically in business, because offering a LE cert during business transactions risks to tell the customer that we are either too stupid or that we don't care shit about his interests and possibly both. The message "dudes, you lousy customer creatures just aren't worth to pay 100$ or 200$ per year for what you consider a real cert" is very rarely a smart one.
Yes and no. First, I am someone who actually works on and with crypto almost every day. That also means that I'm someone who knows that we can have and use public key cryptography without PKI.
Many do not know that but think that all those things that start with "public key" are somehow interwoven and one must use the whole shebang. Which is wrong.
Public key cryptography aka asymmetric crypto is a form of crypto where each side has a public (and a private) key and which is typically used to create/find/agree some bitstring that is then known to both parties - anmd only to them - and used for symmetric crypto (like e.g. AES) which is much, much cheaper (in terms of computing) and faster.
Certs, and more generally PKI, only address one single point in that whole game: they associate an entity with a public key. That's it. The whole certificate and PKI circus basically serves that one point; it associates some with a public key. In a way it does what a notary does in the real world. One might also compare it to an official id document like a passport. A passport basically says that some physical living person (a) is who he say he is, and (b) there is a "guarantor", some entity that is in the position to make such a statement about people, typically a government agency.
In the online world one needs a cert (an "id document") for the same purpose one needs a real world passport: to sufficiently demonstrate that one is some real world entity, e.g. a person or a company.
LE can't possibly provide that. Nor can certificates from a commercial CA - with one very important exception: When buying a certificate from a commercial CA almost always some financial service providers are involved and the commercial CA does have some tangible real world related item like an account or credit card number. And those numbers are handed out by a business segment, financial service providers, which has had a need for identity verification since centuries plus it virtually always had/has been given considerable leeway by the kings, governments, etc.
Short version: A commercial cert is dimensionally more valuable than a LE cert. In fact even a 5$ DV commercial can demonstrate that someone is who he says he is - and hence actually provide what a cert is supposed to provide - while a LE cert can not. Note btw that a commercial CA cert does not even claim to do that! It just comes as a welcome side effect.
A commercial CA OV and in particular EV go beyond that by also verifying to some degree the requesting entity. While I doubt the value of OVs because I consider them to be just DVs with some added bureaucracy magic smoke they do provide one basic thing in that they formally provide the (really valuable) check of "information provided" vs. "information from the financial sector" (actually I think that' basically the only check CAs do for OVs).
A commercial EV cert on the other hand almost certainly goes beyond that and checks additional information although the financial sector information still is almost certainly the cornerstone.
That said I think that a lot could - and should - be done way better than it's done. In particular the whole PKI circus obviously hasn't been well thought about and designed. Example: CA, who are not by any means even coming close to something like a notary actually act as notaries in the PKI system. Another example: providing access to cert validity etc. is a distribution problem similar to DNS and should hence be handled by something like a DNS infrastructure albeit a much more secure one. Yet another and very important point is us, the entities; there should be a much better protocol and infrastructure that allows domain owners to control and tell which CA shall be in charge of our domains. Meanwhile some (frankly rather feeble) mechanisms exist but there is no sensible and mandatory solution.
TL;DR the whole PKI circus is basically an open festering wound. But there are actual tangible reasons to not (only) badmouth commercial CAs and to not blindly trust and bet on LE. Plus, LE does and can not provide the very service PKI is all about.
Unlike you, I won't cherry-pick what I will respond to in order to make myself look good. I'll respond line-by-line.
Their 50%+ market share will disagree with you. If free wasn't better, why are people switching to it?
Yes, if you're not going to set it up right (and test, monitor it), it's going to come back to bite you.
Yes, let's just ignore the process to buy that certificate, shall we?
It is never as simple as "Ah yes, let me just buy this $10 certificate. My boss will have my back".
Yes because you cannot have someone impersonate your SSL vendor since it's all autoamted.
Show me proof that is less secure than the alternatives.
Your point being?
Show me how this is not true for all other SSL certificates.
Again, true for almost all other (paid) vendors.
Additionally, LE subscribes to Certificate Transparency so you can see if there is an SSL certificate issued for your domain if you buy it.
If you think the average user can tell the difference between free, $5, $10, $50, $200 non-EV SSL certificates then you are delusional. The average user will google "facebook login", end up on a phishing page, and not even realise.
I didn't "cherry-pick". I just didn't deem each and every point and line of your post needing (or deserving) a response.
No, it does not, because "high market share" != "proof of being better.
For many it's still not worth the trouble, they are not capable to do it, etc.
Sorry, I'm not interested in examples and even less in "cherry-picked" ones.
Automation != safety/security. Plus, did you actually verify the software they use?
No need because it was *you who said, I quote
Software can contain quite ugly things ...
You missed the point of commercial certs actually having something related to the entity buying the cert, namely some financial info.
(a) but they are legally in a different position, (b) my point was not that commercial certs are always better but rather that commercial certs are not always a waste of money or otherwise worse than LE certs.
Nice, but you missed my point it seems.
Well, he certainly is able to listen e.g. to a friend who tells him how much easier it is ( especially for non-tech people) to pay 5$ or 10$ for a year and have it working easily.
Btw, my point is not "LE is bad or evil" nor is it "Praise Symantec" (whom I myself avoid like the plague) but rather that LE is not the only reasonable option and that commercial certs are not a nonsensical or bad option. That's why I myself use both types and I did write that clearly.
And my other point is that LE finally takes away the last advantage and reason to exist from certs and PKI - which, again is not to allow for PK crypto but rather to allow for (well, at least some) certitude who is at the other side, e.g. at the online shop server.
Let's turn the tables.
You define better, and I'll have fun just saying "no, that doesn't mean it's better".
Don't throw the baby out with the bathwater
Unfortunate, people in the real world need their managers approval to buy things with company many. If you think that's cherry-picked there really is nothing I can do to help you. Perhaps get a job an experience it for yourself?
At least you can. Good luck trying to audit your SSL vendor as a small fish.
"better than what it's replacing" does not imply "I can prove it's really secure" which is your quote. Nice strawman.
Proprietary software, even more-so. Open source, and open standards are only a good thing.
That's nonsense. I've bought many paid certificates in the past, and precisely zero have taken or verified any kind of financial info.
Your point, verbatim, was "To drive that point home consider a case where a domain registrar (or en evil person there) automatically gets a LE cert for any domain sold during the sales process. There is little to nothing in place to protect a domain buyer from that"
You have still yet to provide evidence that a paid vendor provides a different mechanism to prevent a bad actor buying a SSL certificate and then selling their domain.
Paid vendors are no better than free ones.
A paid vendor, like an MOT, demonstrates you controlled a domain at the point it was purchased. In the same way an MOT demonstrates your car was roadworthy at the time it was tested. No entity is going to prove continuous control.
No, it you've decided to change your point rather than finish the argument where you've started. See above.
That's not great advice. Better advice would be: switch to a host who takes care of this for you.
LE is a stepping stone to having proper commercial vendors with ACME support. Without a concrete implementation, ACME is just a pipe-dream.
Trying to hold everything back because you're ingrained in some archaic dates process to get SSL certificates is poor judgement. Sometimes you do have to cut off a diseased leg to save the body.
I think you've massively overestimating the number of people who care about this. You might, but most people who feel this way (in groups) are usually in an echo-chamber.
Even as someone fully technical, I never bother looking at the chain of trust for the sites I visit.
@danielhm
This is no cheap excuse but while typing (and already having typed quite a bit of response) I got caught by some stupid screen layover asking me to verifiy that I'm human. So I will not try again to fully respond but keep it short:
The way I see it, you are basically fighting a "religious" war. I've seen that often being done for the holy good free and open software and it's evident that you book LE as similar enough to fight a "holy war".
I'm sorry but I'm not interested in those religious wars. Open source software - as well as LE - without a doubt does have good sides. But that does not mean that proprietary software and commercial CAs are all bad and evil.
While I'm in no way related to any commercial CA nor to certs I actually do work with - as well as on - crypto and a whole lot, almost daily. If you think you can go against someone like me with holy war blabla and zealotry, I'm sorry, that won't work.
Just one example: You say that commercial CAs never asked any financial info. Well, they didn't need to because you did pay after all. I'm not at all an expert in that field but I know that the mere act of paying gives them access to a whole lot of info from the financial sector. So they do have some real world data and reasonably credible ones.
Moreover you seem to assume that most certs are bought by large companies with procedures in place. For one I doubt that is right; small companies buy lots of certs too, plus in large corps once a procedure is established it usually is no trouble at all to repeat some purchase every year.
Be that as it may, we can discuss about it, but not on the basis of a holy war. I'm not a lawyer or PR guy for commercial CAs and don't have the interest to convince you. My interest is largely technical and practical. Also note that not everyone paying for certs is an idiot. There are valid reasons although I agree that for the big crowd (largely individuals and non profit entities) LE may be a better choice.
Yeah, I'm done too. I wasn't even going to reply, but this caught my eye:
I hope you said this as a joke. Nobody in the world can help you see sense when you jump to conclusions like this.
This is so far from reality it's incomprehensible. The idea that ANY merchant gets access to ANY financial information about a payer just by virtue of paying a few dollars is simply laughable.
As an example, merchants don't even know if payers address with the bank is materially what the customer gave on the website because card AVS only compares the numbers, not the letters, in an address.
As an old man I have learned to accept a few things in life. Some people are highly enthusiastic about an issue, more so than me. If I find benefit in their enthusiasm, I listen - otherwise I just leave them alone to enjoy their own enthusiasm. Makes both parties happy. Just my thought for the day.
You mean this?
As far as I can tell, you're the only one around here who starts or engages in holy wars
As far as I can tell, no one around here has ever said otherwise
Wow, if I'm not mistaken, it's taken you two years (perhaps longer) to concede this. So, what, at the end of the day, are you arguing about?
First congrats for the thanks you got (and from whom ...).
I have three hints for you:
There are plenty of cases known of some kind of online (and even real world) shops/comapnies whose data have been breached/stolen - and one of the outcomes invariably was that sensitive financial data of their clients got in danger. Data like credit card data, account data, etc.
So unless you presume that commercial CAs get their payments magically there obviously some financial data available to them via mere payment.
In many countries quite a bit of financial information can be obtained for some payment and some is even free. AFAIK (I'm not in bookkeeping) in many countries it's even quite normal to have subscriptions to such services. Enter some kind of a "handle" (like name, CC number, etc.) and get some financial info.
Maybe you missed the point. Even if the commercial CA does not try to get more fin. info on say their DV and OV clients, they at the very least have something like an account or CC number or similar. That's not much, granted, but it's way more than LE has.
Not really. CAAs are a nice attempt but (a) they are but one element, and (b) they are not mandatory and generally used.
First, congrats to your 63xxth post!
Interesting opinion. We want to stay polite, right?
Oh, I see my sin. Yes, the word used was "stupid". Thanks for pointing out even the most minute of details...
"Concede"? Strange perception, indeed. And mistaken, too because I already clearly said, that I personally use both LE and commercial certs.
I'm arguing about something different. Strange that you, the master of minute details failed to see that. My point never was "Never use LE!!!!". My point was (a) that LE is not better, at least not as generally as it is often suggested, and (b) that commercial certs are not simply and generally a waste of money. They can be useful and they can be worth the money.
And my point was that as far as I can tell, no one around here has ever argued against either (a) or (b), which (if correct) means that you've been arguing against a straw man all of this time. Seriously, has anyone around here claimed that (a) or (b) is not the case?
Now, it's okay as an exercise in debate to set up a straw man to argue against, but it's not great as a strategy in a real debate to imagine that the straw man is some real unnamed person if there isn't such a real unnamed person (because people will ask who exactly you are arguing against).
There is a simply rule, simply ignore what @jsg writes and don't reply to any of his garbage. It always end up the same way. He will pull up some words he found on wikipedia but don't understand, than adds more trash to create a wall of text so you waste even more time on it and if whatever he writes got pointed out is trash he will simply repeat it so you waste again time on him.
So let him waste his time but don't waste your time on him.
Then there was no need for you to mention religious/holy war in the first place.
In the context of the debate, I do view the statement that I cited as a concession, because I don't think that you've said this so unambiguously before. (But perhaps you have said this before and I missed it.)