back to article Vapourware no more: Let's Encrypt announces first cert dates

The Mozilla-backed Let's Encrypt effort is moving out of its vapourware phase, announcing general availability for September 2015 and an intention to issue its first certificate in the week of July 27. Launched last year by Mozilla, the Electronic Frontier Foundation (EFF) and Cisco, Let's Encrypt's aim is to create no-charge …

  1. Anonymous Coward
    Anonymous Coward

    And we trust this new root why?

    Not that you can really attach a great deal of value to the other roots you have installed in your browser by default, but a new root cert must work on all platforms before it has any value at all, and I first want to see the cert issue process before I'd trust any certs.

    I get the idea of encrypting the web, but that's kinda pointless if processes are so broken that they permit MiTM attacks (on the plus side, that still makes mass surveillance a lot harder work than the simple BGP route change it needs now).

    1. This post has been deleted by its author

  2. An0n C0w4rd

    1) free (basic, i.e. not the EV ones that give the green flag on the address bar) are already available and honestly not that complicated to get (installation can still be a pain)

    2) so far no-one seems to have solved the underlying trust issue (i.e. can we trust that the CA issued that cert to the entity you think you're connecting to), other than relying on dnssec, which isn't widespread enough yet to make a noticeable difference (RFC 6698). Even DANE is not without potential issues, since it can be used to make phishing sites look legitimate ( see https://www.imperialviolet.org/2011/06/16/dnssecchrome.html )

    1. Trevor_Pott Gold badge

      "so far no-one seems to have solved the underlying trust issue"

      I thought some of the new blockchain-based technologies were the best we had on solving the trust issue.

  3. Stuart 22 Silver badge

    Good Enough

    This is good. I do use StartSSL which is really just for the Nerdy. They both offer AFAIK the same level of protection between the browser and the server which means, in practice, that all those Wordpress logins and stuff are encrypted. So people like me can no longer sniff them on shared networks.

    So GCHQ/NSA and top-notch gangs may be able to break/steal certificates and MITA targets. But no casual stuff. The weakness of Class 1 certificates is they do not prove that the domain link is 'authentic'. Never Knowingly Undertold JohnLevis.com will give a green padlock and still run off with your money.

    How we develop and make people aware of the sliding scale of security they expect from their blog to their bank is the trick. Creating expectations to match the class of the certificate from a simple encrypted connection to a properly authenticated and verified source. Judging from the amount of green stuff in the URL bar of Chrome is not enough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022