fsebugoutzone.org:9999

       Post AWoPip3EJDox3VA6OO by stanford@social.arclight.pro
 (DIR) More posts by stanford@social.arclight.pro
 (DIR) Post #AWoNbDsptoZVqYY5wG by stanford@social.arclight.pro
       2023-06-18T09:29:40Z
       
       0 likes, 0 repeats
       
       Question:Is it really a good thing that everyone is now using Letsencrypt as their registry?It&#39;s a great project but it starts to feel like a security issue to me :blobcatthinkingglare:#SSL #TLS #letsencrypt #Admin #Server
       
 (DIR) Post #AWoOLYsUAuNUHRTslU by ipg@wetdry.world
       2023-06-18T09:38:04Z
       
       0 likes, 0 repeats
       
       @stanford there are definitely concerns with a single entity being what validates most private keys being used to help encrypt TLS traffic on the network (iirc private keys are still generated client-side? could be very wrong on that...), however as a whole i&#39;d still consider it a net benefit as it heavily reduces risk of casual &quot;coffee shop&quot; MITMs and non-US nation state MITMs on the majority of websites, as almost every other CA requires a huge payment
       
 (DIR) Post #AWoOqlmiEmVFHsf5ua by danny@strangeminds.social
       2023-06-18T09:43:45Z
       
       0 likes, 0 repeats
       
       @stanford if the browser makers, like Google &amp; Mozilla decided not to trust a company&#39;s SSL certificates, those certificates would be useless.  This (I&#39;m sure) has happened before when a company&#39;s root certificates were stolen (so fake SSL certificates, which could be trusted, were created).I will continue to use LetsEncrypt all the time I&#39;m able to
       
 (DIR) Post #AWoPip3EJDox3VA6OO by stanford@social.arclight.pro
       2023-06-18T09:53:34Z
       
       0 likes, 0 repeats
       
       @danny Well, that&#39;s my point.Like 10 years ago, the main SSL marked was split across 30-40 different CAs. If one of them made a mistake and the browsers needed to revoke the trust of the root certificate, it would just affect a portion of the internet.But now, if something at letsencrypt is going wrong, and their root certificate needs to be revoked it would affect like 50-60% of the internet.Btw, I don&#39;t wanna push anyone to change their practice.Just wanna start some discussion to maybe learn something from it :blobcat:
       
 (DIR) Post #AWoQ5s6V7oWZBSgOO0 by danny@strangeminds.social
       2023-06-18T09:57:34Z
       
       0 likes, 0 repeats
       
       @stanford I see your point, let&#39;s just hope LetsEncrypt have robust security in place to prevent this.  I think there is another free option similar to LE (can&#39;t remember it&#39;s name), but if LE were to fall the only option (for me at least) would be going back to paid for certificates
       
 (DIR) Post #AWoUGCL98qfMeqiEnA by robalex@indieweb.social
       2023-06-18T10:44:23Z
       
       0 likes, 0 repeats
       
       @stanford @danny there&#39;s a couple variants of this that are worth thinking through. If a root CA is compromised, it needs to be revoked ASAP by every browser. Then everyone affected scrambles to get new certs. See DigiNotar example: https://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/ .More common is that a CA behaves poorly and is distrusted ahead of an actual compromise. This is a slow, planned distrust that can happen over a year. See Symantec example: https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
       
 (DIR) Post #AWoVK8DMWRSQyWVkDQ by robalex@indieweb.social
       2023-06-18T10:50:03Z
       
       0 likes, 0 repeats
       
       @stanford @danny Any website automating with the ACME protocol just needs to be pointed at a different provider. Software like #caddy does this automatically when a CA is offline, for example, so LetsEncrypt isn&#39;t a single point of failure. Other software could change the default provider with an update, or may require manual user action.
       
 (DIR) Post #AWoVK90zXv9lSRjNZY by stanford@social.arclight.pro
       2023-06-18T10:56:11Z
       
       0 likes, 0 repeats
       
       @robalex @danny Well, sure, there are other CAs out there, and users can switch to a different one.But in most cases, a manual intervention is needed; people need to inform them about the (limited) alternatives need to change the configuration and reobtain new certs. And then hope that the new CA isn&#39;t completely overloaded by all those new people who want new certificates.A scenario where the LE root certs need to be revoked will be in any case a huge mess and will cause a hell lot of outages for days if not weeks.It just feels wrong to have so much critical infrastructure of the Internet in one central organisation.
       
 (DIR) Post #AWoVtIO2h5JoewH3WS by kalich@infosec.exchange
       2023-06-18T11:02:42Z
       
       0 likes, 0 repeats
       
       @stanford i bet its not good, its gonna have similar effects to like heartbleed and log4j in terms of usage (not the vulns in themselves)I&#39;m guilty of using it too on public stuff, but i know most internal corps will use their own local CAs so i guess that&#39;s good :thounking:There&#39;s gotta be some alternative to Letsencrypt for &quot;mere mortals&quot; though? THat&#39;d be cool
       
 (DIR) Post #AWoXHLA08L3CAJjfou by robalex@indieweb.social
       2023-06-18T11:18:12Z
       
       0 likes, 0 repeats
       
       @stanford @danny you&#39;re correct, it would be a mess. The existence of protocol compatible CAs helps speed up recovery, as you should only need a config change, but it&#39;s still a manual change in most cases and an immediate revoke will cause many outages. Overloading the remaining CAs is an interesting issue. I think in the short term we could address that by configuring clients to rotate between the free CAs, balancing the load between each of them.
       
 (DIR) Post #AWoa0vdHZphwDoIWAa by stanford@social.arclight.pro
       2023-06-18T11:48:54Z
       
       0 likes, 0 repeats
       
       @kalich To be honest, the SSL market is really broken.On the free market, there seem to be ZeroSSL and Buypass. I never tried any of them.They both seem to have some limits? (Not entirely sure tho) On the paid market nearly all smaller CA struggled due to LE and then were bought by DigiCert.So, the whole consumer SSL marked is just Letsencrypt, DigiCert and Sectigo (comodo).(excluding some very small or niche providers which do gov stuff for example).
       
 (DIR) Post #AWoaEfdlpeLEg34wDY by stanford@social.arclight.pro
       2023-06-18T11:51:22Z
       
       0 likes, 0 repeats
       
       @kalich Ironic how LE made encryption more affordable by making them free but at the same time killed most of the competition, so the only way for smaller CAs to survive was by making their stuff more expensive and focus on some niche  😅
       
 (DIR) Post #AWofwZrFC0fhFs8WX2 by kalich@infosec.exchange
       2023-06-18T12:55:12Z
       
       0 likes, 0 repeats
       
       @stanford i see! Hadn&#39;t heard of them eitherMight try for the lolz Crypto not really my strong suite though... would be nice to at least have grazed on the code and testing
       
 (DIR) Post #AWog5DUPj6tKUHZrMW by kalich@infosec.exchange
       2023-06-18T12:56:18Z
       
       0 likes, 0 repeats
       
       @stanford Damn, how is it LE survives, on that topic? But yeah that is a bit sad, suffering from success :blobcat0_0:
       
 (DIR) Post #AWz82eqGJ6xxWuuWZ6 by francislavoie@phpc.social
       2023-06-23T13:57:27Z
       
       0 likes, 0 repeats
       
       @stanford @robalex @danny with Caddy no config change is needed because it will automatically retry with a different CA if the other fails. It enables both Let&#39;s Encrypt and ZeroSSL by default as issuers.