#1
|
|||
|
|||
Let's Encrypt - Free SSL/TLS Certificates
Let's Encrypt is a certificate authority that provided free certificates for TLS encryption, aka https protocol.
I think that we can use this service to encrypt our connections to protect our password being leaking. Official website: https:// letsencrypt.org wikipedia pages: https:// en.wikipedia.org/wiki/Let%27s_Encrypt |
#2
|
||||
|
||||
FYI: this is a legitimate suggestion to allow HTTPS access to VGMdb! I unbanned ibmibmibm after their last thread about this was deleted, I'm assuming because it looked like spam.
|
#3
|
||||
|
||||
Yes, Let's Encrypt is a great project with the goal of getting HTTPS everywhere.
Definitely support. |
#4
|
|||
|
|||
While the idea of the project is certainly nice, they've recently been under fire for this incident:
Email Address Disclosures, Preliminary Report, June 11 2016 IMHO this is something which should not happen with a project where the main goal is security. |
#5
|
||||
|
||||
I'm glad someone brought it up. Been feeling like it's long overdue. They may have issues, but it's free and automatic certificate renewal is a big plus for security of course. And it's still better than no security.
|
#6
|
||||
|
||||
Quote:
|
#7
|
|||
|
|||
The problem is not that the issue is related to email address disclosure, but that it shows that the project is struggling with minor/trivial tasks. Security is based on trust. I have to trust "Let's Encrypt" that their do their cerfication correctly and that nobody else has access to their infrastructure. And this incident at least doesn't increase my trust.
That is why I kinda disagree with Nisto. No security is better than the false sense of security, which is deceiving and dangerous. |
#8
|
||||
|
||||
There's been nothing to indicate that the certification itself is insecure, as far as I know.
The email issue was caused by a poorly designed feature in the Python package they were using. They were very quick to react, with less than 2% of the emails being sent. It could have been much worse. |
#9
|
||||
|
||||
Quote:
If you want to talk about false sense of security you should rather look at root cert authority Symantec/VeriSign buying BlueCoat, a company allegedly involved in creating and selling spyware to oppressive countries. Any root cert authority included in your system has the ability to create faked certs for any site, allowing them to hide man in the middle attacks that otherwise would generate certificate errors. |
#10
|
|||
|
|||
I wasn't talking about the Let's Encrypt project when I commented on Nisto's statement.
|
#11
|
||||
|
||||
Nisto is clearly talking about the Let's Encrypt project though.
|
#12
|
|||
|
|||
I was only adressing this specific snippet
Quote:
Quote:
Is it with Let's Encrypt? I don't know, and honestly it's not me who decides who to trust in this case. Anyway, the aforementioned fake cert issue to allow man-in-the-middle attacks can also happen here. You need to trust them that they really keep their root CA offline (reference) and secure. Also I'm well aware of VeriSign and their dealings. In my opinion the whole SSL system with CAs is a broken mess, not so much because of the algorithms involved but more because it doesn't properly handle the (corrupt) human factor. |
#13
|
||||
|
||||
Quote:
I agree the CA system is rotten. The only conclusion can be that trustworthy servers take the matter in their own hands and need to have certificate and public key pinning implemented for man in the middle attacks to be impossible. Once that's done (and all browsers support HPKP, booh Microsoft and Apple...) the choice of CA doesn't really matter anymore. Anyway going back to the encrypted vs. plain text connection debate, the former is always better even if it may be not actually perfectly secured (which is completely in the hands of the server maintainers nowadays), the latter always allows everybody to do any and all ways of abuse on the connection and you won't ever notice. |
#14
|
|||
|
|||
There's a protocol that defending Man-In-The-Middle attack over https, called [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning).
This is done by adding a certification hash value in the HTTP response header, and the browser will record this hash in a specified period. |
#15
|
||||
|
||||
An update on this: I've obtained an SSL cert for VGMdb. Although I went with DigiCert for now rather than Let's Encrypt. (I specifically avoided anything Symantec / VeriSign / etc due to this).
I had to fix a lot of places in the code that hardcoded the protocol, so please test out the HTTPS site and let me know if there's any bad redirects, insecure mixed content links and so on. https://vgmdb.net |
#16
|
|||
|
|||
According to SSL report from ssllabs:
https://www.ssllabs.com/ssltest/anal...ml?d=vgmdb.net Many ssl settings need to be adjust. This site provide a config generator for apache and nginx sevrer: https://mozilla.github.io/server-sid...fig-generator/ |
#17
|
||||
|
||||
Thanks. I've already tried those resources. Unfortunately we're running on an old OS so some settings can't be used. In order to get an A grade we'll have to install a new OS and upgrade all our system software, which is something I plan to do after I move some other tenants off the server.
|
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Garena Free Fire OST | Secret Squirrel | Album Discussions | 0 | Oct 13, 2018 05:34 AM |
Free to Play Soundtrack | Myrkul | Album Discussions | 2 | May 17, 2015 09:27 AM |
WM-0639: SONIC FREE RIDERS Original Soundtrack - Break Free - | DXAshram | Album Discussions | 0 | Dec 20, 2010 03:38 PM |
Mega Ran 9 | Liontamer | Album Discussions | 0 | Feb 4, 2009 11:59 PM |
Free fan remix projects? | CHz | Questions and Comments | 6 | Nov 13, 2007 10:46 AM |