Let’s Encrypt

Discussion in 'privacy technology' started by ronjor, Feb 28, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    Let’s Encrypt 2016 In Review

     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    HTTPS Hits 50 Percent Traffic Milestone
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,371
    Location:
    Slovenia
    https://www.forbes.com/sites/forbesproductgroup/2017/03/15/road-to-ssl
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,877
    Let's Encrypt is very easy to setup!
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    10,411
    Location:
    UK
    https://www.thesslstore.com/blog/lets-encrypt-phishing/
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    ACME v2 API Endpoint Coming January 2018
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    Milestone: 100 Million Certificates Issued

     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    Wildcard Certificates Coming January 2018

     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    How to use Let's Encrypt to secure your websites

     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    ACME Support in Apache HTTP Server Project

     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    Let's encrypt say they won't be issuing code signing certificates.

    Does anyone know why a domain cert cannot be used as a digital signature? After all, it's just a private key so what is to prevent it being used to code sign with the domain name the cert represents?
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,630
    Location:
    UK
    Well the difference is in the purpose field... And of course, money is involved!

    But really, the domain cert is implicitly tied by Let's Encrypt to the domain - you have proved your right to the cert by virtue of ownership of the domain and domain records.

    That situation does not apply to code signing, for which you do not need a domain at all I don't think. They tend to verify your individual or corporate identity and real-world addresses. I think that's better in the case of code signing - as a user, I do want to be able to have some form of proof of origin like that, which does not apply to domain ownership, I cannot necessarily find the signer.

    For obvious reasons, Let's Encrypt doesn't want to get into that kind of verification.
     
  13. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    Yes I think you're right, they are probably the reasons but, I was thinking, if I download an app from an independent developer, for example, one called newtech.com, the code signer could be anyone, it could be, Willy Wonker for all I know, so his signature isnt going to assure me this is the original application from from newtech.com.
    On the other hand, if it was signed with newtech.com's TLS certificate the digital signature would match their domain certificate and I would know it is the correct unadulterated app from their site.
    So I was wondering, is it impossible to use a TLS cert for code signing or do we just lack an application to do it?
     
    Last edited: Oct 24, 2017
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,630
    Location:
    UK
    A company code certificate would, at the time of the application, need to be backed by evidence delivered by a third party (e.g. lawyer) to verify. What happens to it once issued, is of course an problem, and Willy Wonker could indeed be the signer.

    The suggestion of tying the application to the domain makes sense, if it's associated with the website - after all, with javascript enabled, we already do (ha!) trust the code they run on our computers. However, domain verification is much weaker than code signing verification.

    I think using a TLS cert for code would require development tools which didn't discriminate, but also cooperation from installers on the major operating systems. I don't think they would comply with that, for perhaps good reasons. The real problem being that code signing certs are way too expensive still.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,371
    Location:
    Slovenia
    http://www.securityweek.com/lets-encrypt-disables-tls-sni-01-validation
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,800
    I want to put lets encrypt and also ssl.com in my trusted certificate store because I dont have either of them but where do I get them from? I couldnt find any mention of this on lets encrypt website.
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    ACME v2 and Wildcard Certificate Support is Live
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,714
    Location:
    Texas
    Let's Encrypt Root Trusted By All Major Root Programs

     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.