The words "piss-up" and "brewery" come to mind.
Let's Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three …
A tech company flat out admitting it was wrong without any weasel words and then changing its plans? What's happening to the world?
I applaud Let's Encrypt for recognizing the problem in the first place and trying to fix it. I applaud them again for pulling back from their initial solution.
Yes, I applaud them for both of things things! Great job, LE!
But I still remain happy not to be a LE user. (To be clear, I'm not saying that people shouldn't use LE -- only that for some people such as myself, the cost/benefit of using them is not favorable, and this sort of thing doesn't help that.)
... and was told my certs would be invalid on Thurs. The email did tell me exactly which ones would be revoked and gave me a hint on how to use certbot to force an update.
Now, I have a quite scary combination of HA Proxy fronted sites so for example you go to http://example.co.uk or www. or whatever and end up at https://example.co.uk which is hosted on an Apache job. /owa /autodiscover etc all end up coming from an Exchange server, /wiki from a Mediawiki. It goes on ... /icinga /kb and more. All of those can also be got at via hostname instead of www as well. Some bits need Kerb auth and some via forms. Attempting to hammer at the login form for eg OWA ends up visiting a fake form that does nothing, rather slowly. Getting that lot to work was quite traumatic. One tricky bit was getting http to redirect to https correctly whilst still allowing /.wellknown through for the relevant box or the front end. HSTS adds a certain excitement to testing.
Then you have to try and get that lot to move quicker than it is designed to do.
> Overall not a bad plan. If that is what it was.
I don't think that was a plan, but if it was then it's a terrible one because it is effectively trading away the ability to trust what LE says. Correcting a bad initial call increases trust. Lying to manipulate people into action decreases it.
Biting the hand that feeds IT © 1998–2021