The Electronic Frontier Foundation Soros-funded interest group Created Letsencrypt (free CA)
This allows everyone to "encrypt" (add TLS to) their website, free and for an unlimited amount of domains. This is a large benefit to traditional CAs that typically charge upwards of $100 for a single certificate. The downside - it requires you to run a "client" (certbot) written in python to obtain the certificate (generate a private key, send the CSR to Letsencrypt and download the certificate itself) and then renew it (typically every 3 months. This process automatically creates an account at LE that is then linked with your IPs and domains on their side. This would allow them to revoke the certificates of every site they deem unacceptable, thus shutting down access to sites they don't like. Since the default configuration they provide for many servers (like nginx and apache) turns on HSTS at a high interval (i think its more than one week) this would prevent the website administrators from switching out the certificate for a different one to bring the site back up until the time is exceeded. (Unless they switch the domain too). And to top the cake, they recommend running their client every few hours or daily, which allows easily backdoorinv computers -the client checks for newer versions of itself and downloads and updates itself automatically - yup) thus a malicious update could backdoor your machine. So, letsencrypt - in principle good, but turns out a very bad idea?
>The Electronic Frontier Foundation >Soros-funded interest group What the fuck. Is nothing uncompromised anymore?
Blake Smith
Self-signed is the way to go.
Jordan White
Unfortunately fellow user, SJWs have squirmed themselves into many open source/free software projects. The most known being Linux kernel itself. Forcing their "Code of conduct" on developers or removing them from the project. (Search for "linux coc" and read for yourself). The good thing about open source licenses is that most of them allow creating a copy of the project and continuing work there without the nutjobs.
I agree. But self-signed certs aren't trusted (preinstalled) in any browser or OS so the benefit of trusting an untrusted certificate is almost nil. If only DNS CAA were implemented by any browser, the world would be much closer to a decentralized PKI infrastructure. Mozilla were even working on it in 2014 or so but caved to the pressure not to include it, undoubtedly because Verisign, one of the big old CAs is a large donator of funds.
Lincoln Williams
The protocol is documented, the reference client is open-source and there are third-party clients.
In addition, it's not like http is going anywhere.
Liam Young
Good luck getting anyway to download anything, sign up an account on or buy anything on http.
Not when modern browsers literally shout at the user “insecure connection”.
Kevin Diaz
Based slovenian poster This is a good summary
Matthew Gonzalez
Doesn't it make a lot more sense for browsers to be a public utility rather than a sales tool for the certificate cartel, an access terminal for the advertising cartel, or a couple of also-ran software vendors?
Austin Ramirez
It does, but it is what it is and if you want to do anything seriously web these days you need ssl or users just wont accept you.
All true, but none of your points address any issues I raised above. The fact is that they can simply revoke any certificate they want on their side for any reason, has nothing to do with the protocol. The client being opensource doesn't address the issue of the client downloading new versions of itself automagically from LE without the code being reviewed by the user first. Hell, even a MITM or poisoned DNS could inject arbitrary code as AFAIK the client doesn't do signature checking.
Nolan Diaz
chmod is your friend. If chmod isn't enough, chattr is your friend.
Isaac Ramirez
Good thread, friend.
Lucas Bailey
>the benefit of trusting an untrusted certificate is almost nil So GPG sign the certificate so people can trust that the site owner made it. The whole point is to encrypt the connection, not to rely on some NGO / government approved list of certs.
Gabriel Watson
>GPG The browser won't care and will screech autistically that no (((authority))) trusts that certificate and rattle off a litany of hazards of continuing to browse that site (almost all of which are due to browsers being sluts that will execute any code for two lime margaritas and a blunt).
Jayden Lee
CAs are a horrible idea in the first place. Decentralized web of trust schemes or simple TOFU is far superior.
Andrew Evans
So people click the “continue anyway” button just like when they run a malware installer. People who are savvy and understand technology will add an exception too.
Joseph Allen
Sure there are ways to stop the auto update but the vast majority, I'd say 99.99% of users arent gonna change the defaults and sure as heck arent gonna read through every line of code. The certificate revocation can't be stopped as it's done via CRLs on the browser-CA side of things. Right, that would technically take the place of a trusted CA but if we're using GPG now, it's a manual process of creating a trust between the two parties, and how would you check the certificate in the browser, that would have to be a 3rd party plugin. You lose all your normie visitors if you do this. DNS CAA would replace the place of CAs as we know it, as the cert would be validated by the domain's DNS zone itself, combined with DNSSEC, that would give you a full chain of trust. Then the only people left to fuck with you would be the domain registrar and IANA or ICANN itself.
Parker Ramirez
>Then the only people left to fuck with you would be the domain registrar and IANA or ICANN itself. So the parties who already fuck with you?
Darkweb is the only solution, with self signing.
Evan Foster
The average person is going to be freaked the fuck out about any website that says insecure and warning.
Benjamin Nguyen
>DNS CAA >Certificate Authority Authorization Wait, isn't this already implemented? From what I read, it seems like it's just like printing "Not good for more than $500" on a cheque.
Angel Hughes
cheap ssl is 8.99
i use both.
Aaron Campbell
The average person can fuck off.
Brayden Smith
Yeah, but they're arguably less political than a Soros-backed NGO. They have to answer to US law and constitution too which non-US NGOs or corporations like the old CAs don't. Yeah, the full answer is to go decentralised via dark net, but this debate is intended for the normie-accessible web.
Jaxon Walker
comodo is like $20/yr mein herren and i'm not a gypsy so thats affordable
All this makes the Russian internet isolation act seem almost benign.
Carter Anderson
Certbot isn't required, retard. You can obtain an LE certificate without running any of their code on your server.
Oliver Young
I can't imagine who's paying you to post this nonsense.
>traditional CAs typically charge upwards of $100 for a single certificate Let's see, >noip.com/ssl-certificates >$19.99/yr
>Since the default configuration they provide for many servers (like nginx and apache) turns on HSTS at a high interval Why would you use their server configs?
>And to top the cake, they recommend running their client every few hours or daily, >1) why would you? you need to run it once every three months >2) it's trivial to run certbot in its own sandboxed container
The revocation issue is present no matter what service you use.
>I can't imagine who's paying you to post this nonsense Nobody's paying me, I run in with Letsencrypt a lot so this wrnt through my mind naturally >Let's see, >noip.com/ssl-certificates >$19.99/yr Didn't know about that. Still, $20 is more than 0. If you want a different cert for every service, that adds up. Wildcard certs are pricier and in the range I was mentioning. >Why would you use their server configs? I don't but other people might. I see no reason for them to include HSTS, we're not talking about bank transactions here with a free CA, and it locks you into their service for that time. >1) why would you? you need to run it once every three months >2) it's trivial to run certbot in its own sandboxed container True. Not sure about trivial, it takes some time and effort.
DANE would solve the revocation issue which is what I really take issue with.