This is a tiny bit odd. So they have issued their first certificate, but they don't have cross-signing in place yet? So between now and november 16th they'll be issuing a whole bunch of effectively broken certificates unless people manually install their root CA?<p>Why even push this today if you don't have cross-signing available? Without that Let's Encrypt is effectively broken out of the box.<p>PS - I actually like Let's Encrypt and the work they're doing. I will be all queued up when they go live to grab one (and, yes, will put my money where my mouth is and donate). But doing this today without cross-signing seems strange.
It's amazing that it takes a free provider to make things simple:<p><a href="https://letsencrypt.org/howitworks/" rel="nofollow">https://letsencrypt.org/howitworks/</a><p>I'd actually pay more than I do now for SSL certs to get that kind of simplicity.
I'm so excited for this to take off, and it's good to see they've taken the first steps, but can I at least download the <i>CA Cert</i> over HTTPS? Not sure how comfortable I am installing a CA cert I downloaded via HTTP, since that's kind of the whole point of this whole thing.
Sorry for asking a potentially dumb question : but is it possible for me to set up a domain name thecitibank.com and ask letsencrypt to issue me a certificate ? I can then create a login page to steal IPINs. Isn't that why we have humans in the loop for issuing certificates ?
What's the target audience of the beta program? I'd love to play around with this on a personal domain but I doubt that there will be more than 2 or 3 unique visitors between now and general availability. Do they want signups for the beta program irrespective of the traffic volume of the site or would toy site signups just be more of a hassle for someone to approve?<p>The verbiage on that page isn't very clear on if there's some manual process for approving beta participants or if it's just grab 100 entries a week out of a Google Sheets page.
Does anybody know if there is any protection built in against MITM or DNS poisoning attacks?<p>It feels like this makes network hop security far more important. If I'm able to insert a MITM or DNS poisoning anywhere between where letsencrypt.org's servers are and where it thinks the requesting server should be then I can generate a false certificate.<p>For example, Amazon's DNS resolves for letsencrypt as 1.2.3.4 which routes along a set path - say 2.3.4.5 and 3.4.5.6. To verify that I control amazon.com, letsencrypt is going to try and fetch <a href="http://1.2.3.4/something" rel="nofollow">http://1.2.3.4/something</a> (through DNS resolving). If I can get MITM access on 2.3.4.5 and pass back /something to the request, letsencrypt is going to generate a certificate for me that I can use to say I am amazon.com for the entire world.<p>Is there any protection against this built into letsencrypt for this? Maybe checking if amazon.com already has <a href="https://" rel="nofollow">https://</a> ? Although I'm not sure if there is any way to get around a DNS poisoning attack...<p>In essence, this seems to mean that you can take a single successful MITM and turn it into a globally authorized MITM. Right?
Everyone repeat after me, wildcards, wildcards, wildcards.<p>(just hoping they will appear next year)<p>One more nail in the coffin of the ssl cert mafia.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512<p>For the record, the cert I've downloaded (using SSL over the Let's Encrypt site) from the Let's Encrypt site has the following SHA256 fingerprint:<p>SHA256 Fingerprint=96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6<p>Works great. To install on Firefox, just click on the first certificate listed here, in der format (just be sure to 'view certificate' and compare with the SHA256 hash I list above):
<a href="https://letsencrypt.org/certificates/" rel="nofollow">https://letsencrypt.org/certificates/</a><p>For Chrome users, you have to download the cert, then go under "Manage Certificates" in "Advanced Settings". Then click the "Authorities" tab and import button. To check the cert hash, you'll have to run the following on OpenSSL:
You can check your own fingerprint using:
openssl x509 -fingerprint -sha256 -in isrgrootx1.pem<p>Command line users on Ubuntu and (I think) Debian can install it to all browsers at once using:
chmod 644 isgrootx1.pem
sudo mkdir /usr/share/ca-certificates/letsencrypt.org
sudo cp isrgrootx1.pem /usr/share/ca-certificates/letsencrypt.org/isrgrootx1.crt
sudo dpkg-reconfigure ca-certificates<p>For the extra paranoid, this is the same cert that another user posted to a Github gist earlier this summer:
<a href="https://gist.github.com/rmoriz/1211745a21bc6114e770" rel="nofollow">https://gist.github.com/rmoriz/1211745a21bc6114e770</a><p>And you can verify my GPG signature by fetching my PGP key here (note that the keybase profile is linked to this HN username):
<a href="https://keybase.io/esbullington" rel="nofollow">https://keybase.io/esbullington</a><p>-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1<p>iQIcBAEBCgAGBQJV95CmAAoJELGyxBAnWFiCpF4P/0sxqdrobdKm02V2cadHWQX3
AqXEENlPoReoVazf6Xhr3xfcyLw7g798q7YG4Bd0XtZLwofTr8Hq2On4q9w6dufu
6yGv+PyBTqL2EiSvuyY1p29ieYJV3tqOLUTaYjlvf7YGS90wLphRsEF1RVOaKfLK
J1HSfx5Gctl1IRqa3Lt4zK6pot8xOzvV2d6V+fW1V/Svx5ZrfEUgJ7hgcyrgCSzB
wqKJNhpoZCK50iqzrBlwjByRA+yi4LJckzSZ97l2p86QfvSg8xeVuMWVT+Qw6Pll
Lw+rlrh4sLtcVGTcc6qUfBa5FXfoNOfT0vL009uBz5UkCs0vTjmbOwfZTGAMxKgC
fD9dfOY3f9lA87nxTCP7nKR/USbDJANztNdQ/14qJwKFVmdusAjvf8LR8MzaIi5Q
aBiC6otSuAMDGOTPXJ3aex/v+pt1412K5CgLEq83zeTGK04OoEWV/MMzggT+UxH6
eUpChtwKtFQIjqagzhkWWgc6ti2Qy0PnvZZa36PfFa01iK4jOhRPH9aCkg5UQtbl
MjMPF2gAbHwTGP8cSs+PIrFUYyEK8FgWW4HhXBVCbNgedIEjRJwuorr/Ug8D7mJk
kx+nFENVIsjEHUa5k64fYYc4eRX244jKORvYxH/iwCvvpCaineBkVmXPIFGIBXqp
EYdDJBWF/PWfMvjFYHL3
=es48
-----END PGP SIGNATURE-----
Last year they did a talk at CCC. Well worth a watch.<p><a href="https://www.youtube.com/watch?v=OZyXx8Ie4pA" rel="nofollow">https://www.youtube.com/watch?v=OZyXx8Ie4pA</a>
Any one else getting a 'Secure Connection Failed' error at <a href="https://helloworld.letsencrypt.org/" rel="nofollow">https://helloworld.letsencrypt.org/</a> in FF after adding the root certificate?
I checked the https demo using libcurl, and it failed unexpectedly with error code 35 (Unknown SSL connect error). I was expecting curl error 60 (untrusted certificate).
How a root CA goes into the trust store? I know Firefox embed them, so older versions of it will not include it. OS minor updates (Windows, OS X, ...) ever updates the trust store?<p>How much time actually takes it before I can safely use it and be sure that the majority of browsers accept it?
I feel like these initiatives to make SSL available for everybody just lead to the same conclusion: EV will be the only viable alternative to show real trust, and EV is much, much more expensive than regular SSL ever was.
Does anyone familiar with the "paid-for certificate industry" know if anything major is going to happen? I'd guess they're going to be inundated with lawsuits or something.<p>Great work, by the way.
To be honest I had not heard of them till now, and I am a bit confused even after reading some of their site...<p>So if the difficult part of being a CA (which I think is verifying that I, Paul Brian, own and control the rights to barlcaysbank.com and should have a certificate in that name) if that bit is either not done (!) or is reliant on donations to be able to afford it, is this going to work?