letsencrypt – Page 7 – WindowsTechs.com

Why did it take a long time for free HTTPS certificates (Let’s Encrypt)? [on hold]

Posted on September 19, 2017 by infinite-etcetera

It seems many companies on the internet became fixated with offering things for free, over the years.

Public DNS servers have always been run for free by companies, web browsers are free.

Why did HTTPS take a while until it… Continue reading Why did it take a long time for free HTTPS certificates (Let’s Encrypt)? [on hold]→

Should I revoke no longer used Let’s Encrypt certificates before destroying them?

Posted on August 3, 2017 by Philipp Claßen

The Let’s Encrypt documentation recommends that when a certificate’s corresponding private key is no longer safe, you should revoke the certificate.

But should you do the same if there are no indications that the key is compromised, but you no longer need the certificate? Let’s Encrypt certificates will automatically expire after 90 days. Is it enough to delete the certificate and its private key?

As a background, this is my concrete scenario:

When we deploy new software, it will create new EC2 instances, which will eventually replace the existing instances (immutable server pattern).
At startup, new instances will acquire a new Let’s Encrypt certificate.
Certificates (and their private keys) never leave the EC2 instance.

So, when old instances are terminated, the certificates assigned to that machine will be destroyed. At this point, we are no longer able to get access to the private key.

Questions:

From my understanding, revoking might be a good practice. But strictly speaking, it will not increase the security of the system (of course, assuming that the private key was not compromised). Is that correct?
Will it help the Let’s Encrypt operators to explicitly revoke unused certificates, or will it do more harm? (I’m not sure, but revoking could trigger extra processes, which might be unnecessary if there is no indication of the key being compromised.)

Continue reading Should I revoke no longer used Let’s Encrypt certificates before destroying them?→

How can LetsEncrypt and other similar services verify ownership of a domain over insecure http? [duplicate]

Posted on May 4, 2017 by Markasoftware

This question already has an answer here:

What makes Let’s Encrypt secure?

5 answers

LetsEncrypt allows you to verify ownership of your domain using the .well-known thing, but since the site is http before the first certificate is issued, couldn’t somebody do an MITM attack to give letsencrypt the response it wants without actually owning the domain? I’m pretty sure the people at LE know what they’re doing, I just want to know how it works.

EDIT:

To clarify, I am talking about spoofing the entire process, not just guessing the nonce used after a legitimate owner begins the process. I am talking about an attacker running certbot and doing the entire thing.

Continue reading How can LetsEncrypt and other similar services verify ownership of a domain over insecure http? [duplicate]→

Is it a security risk to allow index listing of the .well-known/acme-challenge directory?

Posted on May 3, 2017 by ctrueden

To register an SSL certificate via the Let’s Encrypt authority, one must serve a special file in /.well-known/acme-challenge/<token> with specific contents. Apologies if I missed it in the documentation, but it is not c… Continue reading Is it a security risk to allow index listing of the .well-known/acme-challenge directory?→

Why can’t Let’s Encrypt support wildcard certificates?

Posted on April 23, 2017 by Mehrdad

Let’s Encrypt claims:

We do not offer Organization Validation (OV), Extended Validation (EV), or wildcard certificates, primarily because we cannot automate issuance for those types of certificates.

To be honest, I… d… Continue reading Why can’t Let’s Encrypt support wildcard certificates?→

Is it the responsibility of a certificate authority to ensure an SSL is not used for nefarious purposes?

Posted on March 28, 2017 by Goose

I read this in the news recently

Let’s Encrypt has issued 15,000 SSL certificates to PayPal phishing
sites (Security experts call on firm to refuse certificates for
domains containing popular brand names)

https://ww… Continue reading Is it the responsibility of a certificate authority to ensure an SSL is not used for nefarious purposes?→

Chrome doesn’t see SSL certificate for main domain while sees for www

Posted on February 22, 2017 by Greg

I have the following issue: Chrome browser (both desktop and mobile) shows me “Not Secure” label for my main domain “https://astrakhan.ru/” while it works OK for “https://www.astrakhan.ru/”.

Firefox and IE work just fine. SS… Continue reading Chrome doesn’t see SSL certificate for main domain while sees for www→

Chrome doesn’t see SSL certificate for main domain while sees for www

Posted on February 22, 2017 by Greg

Firefox and IE work just fine. SS… Continue reading Chrome doesn’t see SSL certificate for main domain while sees for www→

LetsEncrypt and GAE ssl error in chain even though certificates are valid?

Posted on February 17, 2017 by user2281290

So I am using Google App Engine(GAE) and installed a certificate from letsencrypt but whenever I get the webpage I get this error. NET::ERR_CERT_INVALIDand I don’t know what to do. Here is my entire chain.

—–BEGIN CERTIFI… Continue reading LetsEncrypt and GAE ssl error in chain even though certificates are valid?→

HTTPS Hits 50 Percent Traffic Milestone

Posted on February 1, 2017 by Tom Spring

This week HTTPS hit a huge milestone. According to a two-week survey of telemetry data from the Mozilla Firefox browser, 50 percent of page loads used HTTPS. Continue reading HTTPS Hits 50 Percent Traffic Milestone→