Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:Letsencrypt versus a 'real' CA (Score 2) 186

That's just it. BleepingComputer doesn't understand the difference between a DV and an EV certificate and falsely assumes that Lets Encrypt is not doing exactly what a Certificate Authority issuing a DV certificate is supposed to do: Verify the requester is capable of administering the domain in question and nothing more.

Comment Re: Never saw that coming (Score 1) 186

Depending on which CA, there won't be much extra verification.

The ones that don't do much extra by policy don't qualify to have their root certificate included in browsers.

Although, for some reason Chrome does not show the company name on Organization-Verified certificates.

Because OV certificates are the category you mention above, there isn't much extra qualification involved. Firefox also doesn't show OV certificates as green.

Comment Re: but you arent a traditional CA (Score 1) 186

Sorry wrong "chain of trust". You're talking about a chain of trust back to the CA. I.e. website claims that they are a specific server, they claim another authority validated that, and the other authority is a root authority trusted by the browser and they can show that through the certificate chain. That is the chain of trust that will break the lock and bring up warnings if it is not setup correctly.

The "chain of trust" (I shouldn't have used that phrase) I was talking about is that you're talking to a server which claims to be responding for a domain, which claims to be part of an organisation, which has been shown to be a legally registered business in some country of the world. This is achieved through EV certificates, something that Lets Encrypt does not provide, and something that companies like PayPal use to prevent phishing.

Comment Re:Foundamental flaw of the CA infrastructure (Score 1) 186

The CA IS chosen by the client. It is your prerogative who you trust to be a CA. The browsers only come with a list of defaults. Those list of defaults are based on what the browser vendors think is sane based on the performance of the authority. And quite frankly an authority that actually physically checks that a user is able to run a script that modifies a directory on a server within a domain in question is pretty damn authoritative on defining that a server belongs to a domain that it claims (the scope of a DV certificate).

Comment Re:As unpopular as it will be to hear... (Score 1) 143

but users of open software get that same ability by default

Nope. Again with the standard fallacy that because it's open means we can do what we want with it. For most people that is out of the realm of possibility and you're just as dependent on third party interest as before.

Sure you could be a completely non-IT house and suddenly decide to employ a bunch of coders to throw at the problem, but businesses who diversify like that don't typically last in the long term. Open source isn't some magic panacea.

Comment Re:Encryption without trust = dangerous illusion (Score 1) 186

You seem to imply because something is free and automated that there is a lack of trust. There is not. DV certificates still identify the server as responsible for responding on behalf of the domain in question.

What you're complaining about is trust beyond the machines and into the organisation and people behind the servers. This is something outside of the scope of DVs, outside of the scope of Lets Encrypt, and quite critically also handled and displayed differently to the user by the browsers.

There's nothing dangerous here, just a bunch of people who don't know what they are talking about. You want to pretend to be go right ahead. You want to pretend to be PayPal Ltd [US] with the domain Well Lets Encrypt won't let you do that.

Comment Re:silent s (Score 1) 186

If it doesn't authenticate anything then it is worthless

Oh but it does. A DV certificate authenticates that a computer responding on behalf of a domain is who it claims to be. Let's Encrypt is perfectly fine for that and does not issue any certificate with information that isn't completely authenticated. This is why they don't issue OV or EV certificates.

The S doesn't indicate anything to do with security and encryption. It indicates a different protocol to standard HTTP is being used. The various results of different certificates are shown differently by browsers. e.g. DV certificate gives you a little green padlock, and an OV certificate gives you your fully qualified organisational name in the title.

You not understanding the difference doesn't make a CA any less trustworthy, and Lets Encrypt demonstrates 100% authenticity of the certificates they issue within the scope of what that certificate is intended to do: Prevent MitM attacks by authenticating the end point as the correct *server*.

Comment Re:Foundamental flaw of the CA infrastructure (Score 1) 186

What would be really useful would be CA that certify the honesty of the sites. “If you see our green padlock, that means this site is reliable. If they scam you, we will refund you.”

They already work the way you think. You just don't understand the difference between the green padlock and the green text that comes up with an OV or EV certificate.

The certificates issued to will show a green padlock along with the very obvious text "PayPal Ltd [US]" next to it. The certificates issued to will only show that little padlock indicating the channel is encrypted.

Comment Re:but you arent a traditional CA (Score 1) 186

These things are not better than self singed

And they are not trying to be. Why would you block a CA issuing only DV certificates when their process 100% confirms that the requestor of the DV certificate is the server owner?

Do you not trust your communication to Slashdot to be secure?

Comment Re: but you arent a traditional CA (Score 1) 186

Domain certificates do not identify or authenticate anything more than the server claiming to be the domain, and Lets Encrypt does a good job of proving that, probably more so than most other CAs.

If you want extended validation (The one that makes your browser say "PayPal Ltd. [US]" in the title bar rather than simple displaying a little green lock, then that's a different process and a different certificate, one which Let's Encrypt does not issue.

Comment Re: but you arent a traditional CA (Score 1) 186

I am going to confuse that with the real paypal.

Except that's not the difference you get in a browser. If you connect to a site with a domain validation certificate like the one Lets Encrypt issues then all the browser will say is "Secure"

If you're wanting to guarantee that you're actually connecting to PayPal then that's a completely different certificate with a completely different process for a completely different purpose, and shock horror it is handled differently by the browser and displayed differently to the end user. Instead of "secure" the browser bar will say "PayPal Ltd. [US]"

Slashdot Top Deals

If you fail to plan, plan to fail.