Let’s Encrypt

Discussion in 'privacy technology' started by ronjor, Feb 28, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Let’s Encrypt 2016 In Review

     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    HTTPS Hits 50 Percent Traffic Milestone
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,492
    Location:
    Slovenia
    https://www.forbes.com/sites/forbesproductgroup/2017/03/15/road-to-ssl
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Let's Encrypt is very easy to setup!
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,002
    Location:
    UK
    https://www.thesslstore.com/blog/lets-encrypt-phishing/
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    ACME v2 API Endpoint Coming January 2018
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Milestone: 100 Million Certificates Issued

     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Wildcard Certificates Coming January 2018

     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    How to use Let's Encrypt to secure your websites

     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    ACME Support in Apache HTTP Server Project

     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Let's encrypt say they won't be issuing code signing certificates.

    Does anyone know why a domain cert cannot be used as a digital signature? After all, it's just a private key so what is to prevent it being used to code sign with the domain name the cert represents?
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Well the difference is in the purpose field... And of course, money is involved!

    But really, the domain cert is implicitly tied by Let's Encrypt to the domain - you have proved your right to the cert by virtue of ownership of the domain and domain records.

    That situation does not apply to code signing, for which you do not need a domain at all I don't think. They tend to verify your individual or corporate identity and real-world addresses. I think that's better in the case of code signing - as a user, I do want to be able to have some form of proof of origin like that, which does not apply to domain ownership, I cannot necessarily find the signer.

    For obvious reasons, Let's Encrypt doesn't want to get into that kind of verification.
     
  13. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Yes I think you're right, they are probably the reasons but, I was thinking, if I download an app from an independent developer, for example, one called newtech.com, the code signer could be anyone, it could be, Willy Wonker for all I know, so his signature isnt going to assure me this is the original application from from newtech.com.
    On the other hand, if it was signed with newtech.com's TLS certificate the digital signature would match their domain certificate and I would know it is the correct unadulterated app from their site.
    So I was wondering, is it impossible to use a TLS cert for code signing or do we just lack an application to do it?
     
    Last edited: Oct 24, 2017
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    A company code certificate would, at the time of the application, need to be backed by evidence delivered by a third party (e.g. lawyer) to verify. What happens to it once issued, is of course an problem, and Willy Wonker could indeed be the signer.

    The suggestion of tying the application to the domain makes sense, if it's associated with the website - after all, with javascript enabled, we already do (ha!) trust the code they run on our computers. However, domain verification is much weaker than code signing verification.

    I think using a TLS cert for code would require development tools which didn't discriminate, but also cooperation from installers on the major operating systems. I don't think they would comply with that, for perhaps good reasons. The real problem being that code signing certs are way too expensive still.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,492
    Location:
    Slovenia
    http://www.securityweek.com/lets-encrypt-disables-tls-sni-01-validation
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I want to put lets encrypt and also ssl.com in my trusted certificate store because I dont have either of them but where do I get them from? I couldnt find any mention of this on lets encrypt website.
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    ACME v2 and Wildcard Certificate Support is Live
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Let's Encrypt Root Trusted By All Major Root Programs

     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates
    September 14, 2018
    https://techcrunch.com/2018/09/14/three-years-later-lets-encrypt-now-secures-75-of-the-web/
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Let's Encrypt gives admins until February 13 to switch off TLS-SNI
    January 22, 2019
    https://www.theregister.co.uk/2019/...dmins_until_february_13_to_switch_off_tlssni/
    Blog entry: February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    The ACME Protocol is an IETF Standard

     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Transitioning to ISRG's Root

     
  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    125,546
    Location:
    Texas
    Introducing Oak, a Free and Open Certificate Transparency Log
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Certbot Leaves Beta with the Release of 1.0
    December 5, 2019
    https://www.eff.org/deeplinks/2019/12/certbot-leaves-beta-release-10
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Let's Encrypt bolsters security against network attackers
    February 19, 2020
    https://www.neowin.net/news/lets-encrypt-bolsters-security-against-network-attackers
    Let’s Encrypt: Multi-Perspective Validation Improves Domain Validation Security
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.