Why Let’s Encrypt is a really, really, really bad idea…
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
CVE-2017-5638
Frankly I have no clue how they where hacked - but please, tell me how someone gets their servers hacked by having an expired cert on it?
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right?? -
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
-
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
-
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
This assumes that the Cert is the only encryption happening
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@DustinB3403 said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Even if someone somehow got the private key for the cert, that doesn't let them breach the server, that only allows them to breach the communications between that server and a client.
right??Yes, this doesn't get the person onto said server, it just allows someone to play MiM, which in practice could get the MiM onto the target server as the originating user.
eh? what originating user? you mean that being an MiM could allow them to get the admin creds and then log in as the admin? Ok I guess I could see that.
but again, and expired cert is not the same as having the public
No I'm saying if as a user you went to bankofamerica.com and tried to login as your user account, a MiM could capture that information and login themselves.
Stolen creds at that point.
This assumes that the Cert is the only encryption happening
Your https connection to a web server, the cert is the what is used to encrypt your connection. It has nothing to do with server security in any other sense.
-
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Are you saying to spend money just because you can?
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Are you saying to spend money just because you can?
I’ll PM you my address @Emad-R - feel free to send as much money as you would like
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
-
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
So do you use any free and open source software, if so and you're making money you had better stop now and start paying someone for some software so you can make less money.
-
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
-
Security through obscurity is the same as Security at Airports. It's Security Theater it's a means of trying to put on a show of security without actual security to deter people from attacking your site/airport/whatever.
I'd much rather have a cert renew on demand for free or every few days for free than to wait 2-5 years before going to check if a new cert is required.
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.
-
@Obsolesce Yeah, which it's then onto the user who says "whelp I know this website is doing something differently, so let's just click ignore and continue".
At least with an automated cert renewal/replacement system like LE, the entire process should never get to the point where a user has to jump through these hoops.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
@Emad-R said in Why Let’s Encrypt is a really, really, really bad idea…:
@Curtis said in Why Let’s Encrypt is a really, really, really bad idea…:
https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801
This guy...
Actually he makes sense to me, if you have website that is generating good revenue you should spend on SSL
Yeah I don't agree with that. The "warranties" that you get are literally useless and it's not possible to automate them. There is literally no upside to paying for one, even EV certs.
Let's not forget that the TLS certs are not for ensuring it is a safe site. It's just a way to have an encrypted channel.
What about being Unique, or unlike the rest, wont that increase security. Like changing a port of SSH, the same method your not using a service that all the rest are using like Lets Encrypt, Thus by theory more secure.
Security through obscurity? Thats not security, that just leads people into a false sense of security. Sure it takes a bit more effort on the part of the hacker, but a determined hacker doesn't really care.
The only point I really consider valid is the accountability aspect - but I'm not sure how much weight I can really give that single point. If LE is hacked, and the master key is stolen, they revoke it and start over, all of the automated systems (I hope) are able to get a new cert the next time they check in - which is very frequent typically, days/weeks normally, but at works are mere months compared to any typical CA, it could be three years if a cert was just purchased a bit before the breach.
The crl is checked immediately by the browser, and will let you know the cert is revoked. I think most web browsers will make you do a manual step to bypass that to browse a website using a revoked ssl cert, if at all.
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
And of course, this only matters once you know your key has been stolen and it's then revoked. I just heard this morning that NASA discovered an APT inside their network that's been there over a year. Now sure - NASA, a government agency, so we can't likely consider them to have good security, but still. The Bleachwood hotel chain had an APT for like 5 years (don't recall exact amount of time), etc, etc.. so the chances of finding an APT that stole your key seems less like a certainty.
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
If the crl cannot be reached, the cert is not trusted and basically the same thing.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
If the crl cannot be reached, the cert is not trusted and basically the same thing.
No, that's definitely not true. as I said - most, if not all browsers - fail open in the case where they can't reach the crl.
https://scotthelme.co.uk/certificate-revocation-google-chrome/
-
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@Dashrender said in Why Let’s Encrypt is a really, really, really bad idea…:
Sure - that assumes the browser can reach the CRL... if it's unavilable (which supposedly is a huge problem), most if not all browsers fail to allow access by default.
If the crl cannot be reached, the cert is not trusted and basically the same thing.
No, that's definitely not true. as I said - most, if not all browsers - fail open in the case where they can't reach the crl.
https://scotthelme.co.uk/certificate-revocation-google-chrome/
Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are "on the order of months," a Google spokesman said.
Same thing but different. Google Chrome will be Google Chrome.
