Ask HN: Is Let's Encrypt Harmful?

4 pointsjan-jakub10y ago7 comments

I've just learned about Let's Encrypt, and it made me a little bit worried. Now, I'm afraid (correct me please if I'm wrong) I cannot easily say if the server I'm talking to is the one I think I'm communicating with; the https protocol and SSL certificates are there only to ensure message confidentiality, but not server identity.

Here are my questions:

1. Is there a way to check in a browser if the current domain's certificate has been issued by Let's Encrypt?

2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?

Perhaps my questions display lack of understanding of some fundamental concept of SSL. If that's the case, I'm happy to learn!

7 comments

detaro10y ago

Most SSL certificates use the same validation mechanisms as Let's Encrypt. Let's Encrypt is not less secure than other providers of domain validated (DV) certificates, all they check is that the requester of the certificate has some kind of control over the domain at the time of the request.

You couldn't trust SSL for owner identity before Let's Encrypt either, nothing has changed.

If you want stronger guarantees for the identity of the owner, you'll have to look for Extended Validation (EV) certificates (Browsers generally show the company name next to the lock in the URL bar). (https://www.cloudflare.com/ as an example, HN or https://www.amazon.com as examples of sites that don't use EV)

crapsalot10y ago

Wrong.

Most SSL cert CA's check DNS for email addresses and only validate DNS entries.

Lets Encrypt only checks DNS for IP addresses and issues certs based on root access to the IP addresses.

A CA DV is not equivalent to a Lets Encrypt cert.

detaro10y ago

Most CAs accept an email to an predetermined address at the domain, which validates that a DNS entry (MX record) on the domain points to a server controlled by the requester.

Many also offer the same thing as Let's Encrypt, which basically verifies if the A/AAAA record for the domain points to a server controlled by the requester.

What am I missing?

Kurnihil10y ago

Your concerns are completly right but there is a catch: Let's Encrypt is trying to lower the barrier in money and time to offer encrypted connection between a server and you. Even now there are different level of certificate in the standard, you could notice it when you see the lock icon in your browser turning green or not. Hacker News, for example, doesn't offer owner information so it's grey; Twitter instead turn green as it uses the most secure certificate.

The fact is that when you connect to my website ilikeapple.com in which I write about my experience as a apple farmer, you don't need to be sure of my server identity ('cause you don't even know my website) but you could still need message confidentiality ('cause you don't want your rival farmer to know that you are interested in planting apple tree next year).

So, don't put your credit card number in a site that not offer server identity (Hacker News for example) but don't worry too much about the certificate of let's Encrypt because are the lower level possible of certificate.

P.S. They are working to expand the same concept at "higher grade" certificate but of course is a work in progress (and is not sure it's possible)

UnoriginalGuy10y ago

To be honest the whole way the internet has always worked is a little backwards...

- HTTP: White background with black text.

- Mixed content: "Scary" red cross through it.

- Domain verified: Green

- Identity verified (EV): Super-green

In an ideal world it would work like this:

- HTTP & Mixed Content: "Scary" red cross through it (i.e. "unencrypted" or compromised encryption).

- Domain verified: White background with black text.

- Identity verified (EV): Super green.

So DV just becomes the new "normal," since all it is asserting is that you haven't been MitM-ed to the specific domain requested. HTTP becomes the new bad (which it is). And only EV gets the green padlock treatment (i.e. so you look for THAT if you enter personal information).

PS - Plus you've always been able to get a Let's Encrypt-style certified, just costs you $8 which is easy to get using stolen credit cards.

crapsalot10y ago

2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?

No...

Lets Encrypt should not have the same level of trust as the basic DV level cert from a standard CA.

There is a security hole in ACME which is glossed over with handwaving from the fanbois.

cabirum10y ago

    openssl s_client -connect example.com:443 -quiet

prints certificate chain, you'll see something like this -

    verify return:1  
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1

- meaning Let's Encrypt is involved.

j / k navigate · click thread line to collapse

7 comments

detaro10y ago

You couldn't trust SSL for owner identity before Let's Encrypt either, nothing has changed.

crapsalot10y ago

Wrong.

Most SSL cert CA's check DNS for email addresses and only validate DNS entries.

Lets Encrypt only checks DNS for IP addresses and issues certs based on root access to the IP addresses.

A CA DV is not equivalent to a Lets Encrypt cert.

detaro10y ago

Most CAs accept an email to an predetermined address at the domain, which validates that a DNS entry (MX record) on the domain points to a server controlled by the requester.

Many also offer the same thing as Let's Encrypt, which basically verifies if the A/AAAA record for the domain points to a server controlled by the requester.

What am I missing?

Kurnihil10y ago

P.S. They are working to expand the same concept at "higher grade" certificate but of course is a work in progress (and is not sure it's possible)

UnoriginalGuy10y ago

To be honest the whole way the internet has always worked is a little backwards...

- HTTP: White background with black text.

- Mixed content: "Scary" red cross through it.

- Domain verified: Green

- Identity verified (EV): Super-green

In an ideal world it would work like this:

- HTTP & Mixed Content: "Scary" red cross through it (i.e. "unencrypted" or compromised encryption).

- Domain verified: White background with black text.

- Identity verified (EV): Super green.

PS - Plus you've always been able to get a Let's Encrypt-style certified, just costs you $8 which is easy to get using stolen credit cards.

crapsalot10y ago

2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?

No...

Lets Encrypt should not have the same level of trust as the basic DV level cert from a standard CA.

There is a security hole in ACME which is glossed over with handwaving from the fanbois.

cabirum10y ago

    openssl s_client -connect example.com:443 -quiet

prints certificate chain, you'll see something like this -

    verify return:1  
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1

- meaning Let's Encrypt is involved.

j / k navigate · click thread line to collapse