Let’s Encrypt

ronjor · Nov 9, 2015

Why ninety-day lifetimes for certificates?
Nov 9, 2015 • Josh Aas, ISRG Executive Director

We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.
Click to expand...

https://letsencrypt.org//2015/11/09/why-90-days.html

ronjor · Nov 12, 2015

Public Beta: December 3, 2015

Nov 12, 2015 • Josh Aas, ISRG Executive Director

Let’s Encrypt will enter Public Beta on December 3, 2015. Once we’ve entered Public Beta our systems will be open to anyone who would like to request a certificate. There will no longer be a requirement to sign up and wait for an invitation.
Click to expand...

https://letsencrypt.org//2015/11/12/public-beta-timing.html

ronjor · Dec 3, 2015

Entering Public Beta

Dec 3, 2015 • Josh Aas, ISRG Executive Director
We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt.

It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.
Click to expand...

https://letsencrypt.org//2015/12/03/entering-public-beta.html

Minimalist · Jan 6, 2016

Let’s Encrypt Now Being Abused By Malvertisers

Unfortunately, the potential for Let’s Encrypt being abused has always been present. Because of this, we have kept an eye out for malicious sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine.
Click to expand...

http://blog.trendmicro.com/trendlab...ets-encrypt-now-being-abused-by-malvertisers/

summerheat · Jan 7, 2016

Minimalist said: ↑

Let’s Encrypt Now Being Abused By Malvertisers

http://blog.trendmicro.com/trendlab...ets-encrypt-now-being-abused-by-malvertisers/
Click to expand...

This Trend Micro report is heavily criticized by Google employee Ryan Hurst.

The first step in building a complex system or protocol that has any security needs at all is to model the threats that the system is exposed to. Without a deep understanding of the system and the threats it is exposed to it is not possible to effectively secure it from a motivated attacker.

A key part of this process is understanding the abilities, motivations and the perspective of the attacker. This not only helps you understand what it is they are looking for, but what they will do with the surface area they have access to.

I bring this up because today TrendMicro published a blog post titled “Let’s Encrypt Now Being Abused By Malvertisers” and after reading it, I am convinced the authors are not looking at this topic with that frame of mind. Additionally, it seems they either intentionally or unintentionally omit and/or misrepresent details that are imperative to understand the incident they discuss.

...

Let’s Encrypt issues only Domain Validated certificates. To put this in context today around 5% of certificates on the Internet are EV. This is important to understand in that the certificates issued by Let’s Encrypt are effectively no less “secure” or “validated” than the DV certificates issued by other Certificate Authorities. This is because all CAs are held to the same standards for each of the certificate types they issue.

...

If you want to see for yourself what Let’s Encrypt does for each of these requirements you can review their code, that said it is can be summarized as:

Proof of possession: Ensure the requestor can sign a message with the key that will be associated with their account and another for the key associated with their certificate.

Domain control: They support several mechanisms but they all require someone in control of the domain or host to perform an action only a privileged user could.

They also check the Public Suffix List (PSL) on each request. They use this to rate limiting certificate issuance of subdomains not on the PSL.

They also do not issue wildcard certificates.

Domain intent: They implement strict support for CAA records, if such a record is found and Let’s Encrypt is not listed the request will be denied.

Fraudulent usage: Every host or domain requested is checked against the Google Safe Browsing service.

This is, at a high level, the same thing every CA is supposed to do for every DV, OV or EV SSL certificate they issue. If they do not, they would not pass their WebTrust audit.

...

But what about the infamous Let’s Encrypt certificate issuance automation? Contrary to popular belief Let’s Encrypt is not the first, or even the only CA that automates 100% of the issuance process. They are also not the only ones who offer client automation to request the certificate and configure SSL.

...

There is a lot of FUD in the TrendMicro post so please bare with me.

...

The problem with this argument is that there really is nothing special about what Let’s Encrypt is doing. In fact, Netcraft recently did a post titled Certificate authorities issue SSL certificates to fraudsters where they find numerous other well-respected CAs have issued certificates to people who later used them for bad deeds.

...

DigiCert, GoDaddy, Namecheap as well as others have done their own variation of FUD pieces like this trying to discourage the use of “Free Certificates” and discredit their issuers. They do this, I assume, in response to the fear that the availability of free certificates will somehow hurt their business.
Click to expand...

deBoetie · Jan 7, 2016

Yeh, agree the Trend Micro report is drivel (specious as Hurst put it). But that's what you face when you try to improve things.

If Trend Micro want to make a difference, they'd be reducing the cost of "the most expensive collection of bits in the world".

ronjor · Mar 8, 2016

Let's Encrypt has issued its first million certificates
March 8, 2016 | By Peter Eckersley and Jacob Hoffman-Andrews

At 9:04am GMT today, the Let's Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We're very excited to be building a more secure and fully encrypted future for the World Wide Web.
Click to expand...

https://www.eff.org/deeplinks/2016/03/lets-encrypt-has-issued-million-certificates

ronjor · Mar 10, 2016

New Name, New Home for the Let's Encrypt Client

Mar 9, 2016 • Josh Aas, ISRG Executive Director

Over the next few months the Let’s Encrypt client will transition to a new name (soon to be announced), and a new home at the Electronic Frontier Foundation (EFF).

ronjor · Apr 1, 2016

ISRG Legal Transparency Report, July 2015 - December 2015

Apr 1, 2016 • Josh Aas, ISRG Executive Director
The trust of our users is ISRG’s most critical asset. Transparency regarding legal requests is an important part of making sure our users can trust us, and to that end we will be publishing reports twice annually. Reports will be published three months after the period covered in order to allow us time to research all requests and orders received during the period.
Click to expand...

https://letsencrypt.org//2016/04/01/legal-transparency-report.html

Minimalist · Apr 9, 2016

WordPress Enables Free HTTPS for All Blogs Using Let's Encrypt Certificates

Automattic has announced a partnership with the Electronic Frontier Foundation's "Let's Encrypt" project that will allow its technical staff to turn on and provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.
Click to expand...

http://news.softpedia.com/news/word...using-let-s-encrypt-certificates-502744.shtml

Minimalist · Apr 12, 2016

Let's Encrypt Launched Today, Currently Protects 3.8 Million Domains

Today, the Let's Encrypt project has officially launched, leaving its beta stage in which it entered last December, being what developers call in the industry a "stable" product.
Click to expand...

http://news.softpedia.com/news/let-...tly-protects-3-8-million-domains-502857.shtml

ronjor · Apr 14, 2016

A Scheme to Encrypt the Entire Web Is Actually Working

Andy Greenberg Security Date of Publication: 04.14.16.
Apple’s move to encrypt your iPhone and WhatsApp’s rollout of end-to-end encrypted messaging have generated plenty of privacy applause and law enforcement controversy. But more quietly, a small non-profit project has enacted a plan to encrypt the entire global web. And it’s working.
Click to expand...

http://www.wired.com/2016/04/scheme-encrypt-entire-web-actually-working/

ronjor · May 13, 2016

Announcing Certbot: EFF's Client for Let's Encrypt

May 12, 2016 | By Brad Warren

EFF is proud to introduce Certbot, a powerful tool to help websites encrypt their traffic. Certbot is the next iteration of the Let's Encrypt Client; it obtains TLS/SSL certificates and can automatically configure HTTPS encryption on your server. It's still in beta for now, but we plan to release Certbot 1.0 later this year.
Click to expand...

https://www.eff.org/deeplinks/2016/05/announcing-certbot-new-tls-robot

ronjor · May 18, 2016

Bitly partners with Let’s Encrypt for HTTPS links

Help Net Security May 18, 2016
Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they’re partnering with Let’s Encrypt to generate SSL certificates for more than 40,000 Bitly branded domains used to create links and share content across the channels, devices, and networks.
Click to expand...

Minimalist · Jun 12, 2016

Email Server Glitch Exposes Email Addresses for 7,618 Let's Encrypt Users

The Let's Encrypt project announced yesterday that a glitch in the email newsletter system they used accidentally exposed the email addresses of 7,618 users.
Click to expand...

http://news.softpedia.com/news/emai...es-for-7-618-let-s-encrypt-users-505140.shtml

ronjor · Jun 22, 2016

Progress Towards 100% HTTPS, June 2016

Jun 22, 2016 • Josh Aas, ISRG Executive Director

Our goal with Let’s Encrypt is to get the Web to 100% HTTPS. We’d like to give a quick progress update.
Click to expand...

https://letsencrypt.org//2016/06/22/https-progress-june-2016.html

ronjor · Jun 23, 2016

Defending Our Brand

Jun 23, 2016 • Josh Aas, ISRG Executive Director
Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term “Let’s Encrypt,” for a variety of CA-related services [1][2][3]. These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand.
Click to expand...

https://letsencrypt.org//2016/06/23/defending-our-brand.html

elapsed · Jun 23, 2016

Comodo really needs new leadership, I'm not sure how they are still in business.

ronjor · Jun 26, 2016

Defending Our Brand [Updated]

Jun 23, 2016 • Josh Aas, ISRG Executive Director

Update, June 24 2016

We have confirmed that Comodo submitted Requests for Express Abandonment for all three trademark registration applications in question. We’re happy to see this positive step towards resolution, and will continue to monitor the requests as they make their way through the system.

We’d like to thank our community for their support.
Click to expand...

https://letsencrypt.org//2016/06/23/defending-our-brand.html

ronjor · Jul 26, 2016

Full Support for IPv6

Jul 26, 2016 • Josh Aas, ISRG Executive Director

Let’s Encrypt is happy to announce full support for IPv6.
Click to expand...

deBoetie · Jul 29, 2016

ronjor said: ↑

Full Support for IPv6
Click to expand...

"We’re looking forward to the day when both TLS and IPv6 are ubiquitous."

We doesn't include me , at least, not as far as IPv6 is concerned. Currently, it's a privacy disaster.

ronjor · Sep 12, 2016

Let's Encrypt Root to be Trusted by Mozilla

Aug 5, 2016 • Josh Aas, ISRG Executive Director
The Let’s Encrypt root key (ISRG Root X1) will be trusted by default in Firefox 50, which is scheduled to ship in Q4 2016. Acceptance into the Mozilla root program is a major milestone as we aim to rely on our own root for trust and have greater independence as a certificate authority (CA).
Click to expand...

ronjor · Oct 10, 2016

ISRG Legal Transparency Report, January 2016 - June 2016

Oct 1, 2016 • Josh Aas, ISRG Executive Director
The trust of our users is ISRG’s most critical asset. Transparency regarding legal requests is an important part of making sure our users can trust us, and to that end we will be publishing reports twice annually. Reports will be published three months after the period covered in order to allow us time to research all requests and orders received during the period.

Download Legal Transparency Report, January 2016 - June 2016
Click to expand...

Minimalist · Oct 17, 2016

Firefox users chalk up HTTPS encryption milestone

A majority of Mozilla users were served encrypted pageloads for the first time yesterday, meaning their web browsing data was secured from snoopers and hackers while in transit.

The HTTPS milestone was tweeted by Josh Aas, head of the Let’s Encrypt initiative which has been working to help smaller websites switch to encrypting their web traffic.
Click to expand...

https://techcrunch.com/2016/10/15/firefox-users-chalk-up-https-encryption-milestone/

Minimalist · Nov 4, 2016

Half of Chrome Pageloads are HTTPS

First it was Mozilla, and now Google is the latest to confirm that encryption is inching closer toward becoming a standard building block for websites and web applications. Google reported yesterday that more than half of pages loaded on desktop versions of the Chrome browser are being done so over HTTPS.
Click to expand...

https://threatpost.com/half-of-chrome-pageloads-are-https

Log in or Sign up

Let’s Encrypt

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

summerheat Registered Member

deBoetie Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

ronjor Global Moderator

deBoetie Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

Log in or Sign up

Let’s Encrypt

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

summerheat Registered Member

deBoetie Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

elapsed Registered Member

ronjor Global Moderator

ronjor Global Moderator

deBoetie Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Minimalist Registered Member

Useful Searches