Why Let’s Encrypt is a really, really, really bad idea…

Obsolesce

@dbeato said in Why Let’s Encrypt is a really, really, really bad idea…:

ugh, Why make it all on Let's Encrypt? Same would happen when using any other CA authority for your TLS Certificates.

He's a CISSP, they always have the best security insights don't they.

dafyre

The author's concern is that it only takes one whoopsie to take over all of LE's certs. I agree with that, but that same thing has already happened to other CAs, so it's not really a point to argue.

However, I disagree with his take that security shouldn't be fire & forget. Security absolutely should be fire & forget -- especially for things that are easily handled by automation. (LE Cert renewal, for instance). The more complex something is, the easier it is to accidentally create a security issue.

DustinB3403

What's worthwhile about automation like LE is that if the root CA was compromised, LE would simply revoke all certificates and create a new CA and issuance would begin again.

He's acting like if someone isn't clicking "buy" that security is more vulnerable.

JaredBusch

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

What's worthwhile about automation

Except that is not what the idiot was talking about with fire and forget.

He was assuming people were setting it up and not renewing things.

Which means stupid users and has nothing to do with the technology.

Dashrender

(Certificate expiration, with no one paying attention, is why no one at Equifax knew they had been hacked for months.)

What? is that true? Equifax was hacked because they had an expired cert on their website - that doesn't compute.

Dashrender

I'd love it if he's define 'fire and forget' it's to ambiguous to really know for sure.

Obsolesce

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

(Certificate expiration, with no one paying attention, is why no one at Equifax knew they had been hacked for months.)

What? is that true? Equifax was hacked because they had an expired cert on their website - that doesn't compute.

I thought they were hacked because of CVE-2017-5638?

Dashrender

@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:

CVE-2017-5638

Frankly I have no clue how they where hacked - but please, tell me how someone gets their servers hacked by having an expired cert on it?

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

DustinB3403

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

Dashrender

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

DustinB3403

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.

Stolen creds at that point.

Dashrender

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.

Stolen creds at that point.

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.

Stolen creds at that point.

This assumes that the Cert is the only encryption happening

Obsolesce

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.

Stolen creds at that point.

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??

Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.

eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.

but again, and expired cert is not the same as having the public

No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.

Stolen creds at that point.

This assumes that the Cert is the only encryption happening

Your https connection to a web server, the cert is the what is used to encrypt your connection. It has nothing to do with server security in any other sense.

Emad R

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Dashrender

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Are you saying to spend money just because you can?

Curtis

@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:

Are you saying to spend money just because you can?

I’ll PM you my address @Emad-R - feel free to send as much money as you would like

stacksofplates

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

Emad R

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

DustinB3403

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

So do you use any free and open source software, if so and you're making money you had better stop now and start paying someone for some software so you can make less money.

Dashrender

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:

@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:

@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

This guy...

Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL

Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.

Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.

What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.

Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.

The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.