Why Let’s Encrypt is a really, really, really bad idea…
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
(Certificate expiration, with no one paying attention, is why no one at Equifax knew they had been hacked for months.)
What? is that true? Equifax was hacked because they had an expired cert on their website - that doesn't compute.
I thought they were hacked because of CVE-2017-5638?
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
CVE-2017-5638
Frankly I have no clue how they where hacked - but please, tell me how someone gets their servers hacked by having an expired cert on it?
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right?? -
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
-
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
-
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
This assumes that the Cert is the only encryption happening
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
This assumes that the Cert is the only encryption happening
Your https connection to a web server, the cert is the what is used to encrypt your connection. It has nothing to do with server security in any other sense.
-
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Are you saying to spend money just because you can?
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Are you saying to spend money just because you can?
I’ll PM you my address @Emad-R - feel free to send as much money as you would like
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
-
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
So do you use any free and open source software, if so and you're making money you had better stop now and start paying someone for some software so you can make less money.
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
-
Security through obscurity is the same as Security at Airports. It's Security Theater it's a means of trying to put on a show of security without actual security to deter people from attacking your site/airport/whatever.
I'd much rather have a cert renew on demand for free or every few days for free than to wait 2-5 years before going to check if a new cert is required.
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.
-
@Obsolesce Yeah, which it's then onto the user who says "whelp I know this website is doing something differently, so let's just click ignore and continue".
At least with an automated cert renewal/replacement system like LE, the entire process should never get to the point where a user has to jump through these hoops.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
And of course, this only matters once you know your key has been stolen and it's then revoked. I just heard this morning that NASA discovered an APT inside their network that's been there over a year. Now sure - NASA, a government agency, so we can't likely consider them to have good security, but still. The Bleachwood hotel chain had an APT for like 5 years (don't recall exact amount of time), etc, etc.. so the chances of finding an APT that stole your key seems less like a certainty.
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
If the crl cannot be reached, the cert is not trusted and basically the same thing.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
If the crl cannot be reached, the cert is not trusted and basically the same thing.
No, that's definitely not true. as I said - most, if not all browsers - fail open in the case where they can't reach the crl.
https://scotthelme.co.uk/certificate-revocation-google-chrome/
