The Electronic Frontier Foundation

The Electronic Frontier Foundation
Soros-funded interest group
Created Letsencrypt (free CA)

This allows everyone to "encrypt" (add TLS to) their website, free and for an unlimited amount of domains. This is a large benefit to traditional CAs that typically charge upwards of $100 for a single certificate.
The downside - it requires you to run a "client" (certbot) written in python to obtain the certificate (generate a private key, send the CSR to Letsencrypt and download the certificate itself) and then renew it (typically every 3 months.
This process automatically creates an account at LE that is then linked with your IPs and domains on their side.
This would allow them to revoke the certificates of every site they deem unacceptable, thus shutting down access to sites they don't like.
Since the default configuration they provide for many servers (like nginx and apache) turns on HSTS at a high interval (i think its more than one week) this would prevent the website administrators from switching out the certificate for a different one to bring the site back up until the time is exceeded. (Unless they switch the domain too).
And to top the cake, they recommend running their client every few hours or daily, which allows easily backdoorinv computers -the client checks for newer versions of itself and downloads and updates itself automatically - yup) thus a malicious update could backdoor your machine.
So, letsencrypt - in principle good, but turns out a very bad idea?

Attached: downloadfile.png (650x333, 29K)

Other urls found in this thread:

en.m.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
noip.com/ssl-certificates
twitter.com/SFWRedditVideos

>The Electronic Frontier Foundation
>Soros-funded interest group
What the fuck. Is nothing uncompromised anymore?

Self-signed is the way to go.

Unfortunately fellow user, SJWs have squirmed themselves into many open source/free software projects. The most known being Linux kernel itself. Forcing their "Code of conduct" on developers or removing them from the project. (Search for "linux coc" and read for yourself). The good thing about open source licenses is that most of them allow creating a copy of the project and continuing work there without the nutjobs.

I agree. But self-signed certs aren't trusted (preinstalled) in any browser or OS so the benefit of trusting an untrusted certificate is almost nil.
If only DNS CAA were implemented by any browser, the world would be much closer to a decentralized PKI infrastructure. Mozilla were even working on it in 2014 or so but caved to the pressure not to include it, undoubtedly because Verisign, one of the big old CAs is a large donator of funds.

The protocol is documented, the reference client is open-source and there are third-party clients.

In addition, it's not like http is going anywhere.

Good luck getting anyway to download anything, sign up an account on or buy anything on http.

Not when modern browsers literally shout at the user “insecure connection”.

Based slovenian poster
This is a good summary

Doesn't it make a lot more sense for browsers to be a public utility rather than a sales tool for the certificate cartel, an access terminal for the advertising cartel, or a couple of also-ran software vendors?

It does, but it is what it is and if you want to do anything seriously web these days you need ssl or users just wont accept you.

>What the fuck. Is nothing uncompromised anymore?

Attached: intel.jpg (778x618, 144K)

All true, but none of your points address any issues I raised above. The fact is that they can simply revoke any certificate they want on their side for any reason, has nothing to do with the protocol.
The client being opensource doesn't address the issue of the client downloading new versions of itself automagically from LE without the code being reviewed by the user first. Hell, even a MITM or poisoned DNS could inject arbitrary code as AFAIK the client doesn't do signature checking.

chmod is your friend. If chmod isn't enough, chattr is your friend.

Good thread, friend.

>the benefit of trusting an untrusted certificate is almost nil
So GPG sign the certificate so people can trust that the site owner made it. The whole point is to encrypt the connection, not to rely on some NGO / government approved list of certs.

>GPG
The browser won't care and will screech autistically that no (((authority))) trusts that certificate and rattle off a litany of hazards of continuing to browse that site (almost all of which are due to browsers being sluts that will execute any code for two lime margaritas and a blunt).

CAs are a horrible idea in the first place. Decentralized web of trust schemes or simple TOFU is far superior.

So people click the “continue anyway” button just like when they run a malware installer. People who are savvy and understand technology will add an exception too.

Sure there are ways to stop the auto update but the vast majority, I'd say 99.99% of users arent gonna change the defaults and sure as heck arent gonna read through every line of code.
The certificate revocation can't be stopped as it's done via CRLs on the browser-CA side of things.
Right, that would technically take the place of a trusted CA but if we're using GPG now, it's a manual process of creating a trust between the two parties, and how would you check the certificate in the browser, that would have to be a 3rd party plugin. You lose all your normie visitors if you do this.
DNS CAA would replace the place of CAs as we know it, as the cert would be validated by the domain's DNS zone itself, combined with DNSSEC, that would give you a full chain of trust.
Then the only people left to fuck with you would be the domain registrar and IANA or ICANN itself.

>Then the only people left to fuck with you would be the domain registrar and IANA or ICANN itself.
So the parties who already fuck with you?

Darkweb is the only solution, with self signing.

The average person is going to be freaked the fuck out about any website that says insecure and warning.

>DNS CAA
>Certificate Authority Authorization
Wait, isn't this already implemented? From what I read, it seems like it's just like printing "Not good for more than $500" on a cheque.

cheap ssl is 8.99

i use both.

The average person can fuck off.

Yeah, but they're arguably less political than a Soros-backed NGO. They have to answer to US law and constitution too which non-US NGOs or corporations like the old CAs don't. Yeah, the full answer is to go decentralised via dark net, but this debate is intended for the normie-accessible web.

comodo is like $20/yr mein herren and i'm not a gypsy so thats affordable

Attached: 1534539133227.jpg (940x940, 134K)

Sorry, I meant DANE. They're both part of DNS PKI, CAA may already be implemented, but DANE requires browser implementation which isn't in any browser.
en.m.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

All this makes the Russian internet isolation act seem almost benign.

Certbot isn't required, retard. You can obtain an LE certificate without running any of their code on your server.

I can't imagine who's paying you to post this nonsense.

>traditional CAs typically charge upwards of $100 for a single certificate
Let's see,
>noip.com/ssl-certificates
>$19.99/yr

>Since the default configuration they provide for many servers (like nginx and apache) turns on HSTS at a high interval
Why would you use their server configs?

>And to top the cake, they recommend running their client every few hours or daily,
>1) why would you? you need to run it once every three months
>2) it's trivial to run certbot in its own sandboxed container

The revocation issue is present no matter what service you use.

Attached: 1553350522099.jpg (497x509, 131K)

>DANE
Noice.
This is unironically good shit.

shieeeet that's what I use for all my websites

>I can't imagine who's paying you to post this nonsense
Nobody's paying me, I run in with Letsencrypt a lot so this wrnt through my mind naturally
>Let's see,
>noip.com/ssl-certificates
>$19.99/yr
Didn't know about that. Still, $20 is more than 0. If you want a different cert for every service, that adds up. Wildcard certs are pricier and in the range I was mentioning.
>Why would you use their server configs?
I don't but other people might. I see no reason for them to include HSTS, we're not talking about bank transactions here with a free CA, and it locks you into their service for that time.
>1) why would you? you need to run it once every three months
>2) it's trivial to run certbot in its own sandboxed container
True. Not sure about trivial, it takes some time and effort.

DANE would solve the revocation issue which is what I really take issue with.