VGMdb
Go Back   VGMdb Forums > VGMdb Site Related > Questions and Comments
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old Jun 13, 2016, 11:47 PM
ibmibmibm ibmibmibm is offline
Junior Member
 
Join Date: Mar 2012
Posts: 3
Default Let's Encrypt - Free SSL/TLS Certificates

Let's Encrypt is a certificate authority that provided free certificates for TLS encryption, aka https protocol.
I think that we can use this service to encrypt our connections to protect our password being leaking.

Official website: https:// letsencrypt.org
wikipedia pages: https:// en.wikipedia.org/wiki/Let%27s_Encrypt
Reply With Quote
  #2  
Old Jun 13, 2016, 11:49 PM
CHz's Avatar
CHz CHz is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 3,323
Default

FYI: this is a legitimate suggestion to allow HTTPS access to VGMdb! I unbanned ibmibmibm after their last thread about this was deleted, I'm assuming because it looked like spam.
Reply With Quote
  #3  
Old Jun 14, 2016, 04:16 AM
nextday's Avatar
nextday nextday is offline
VGMdb Staff
 
Join Date: May 2011
Posts: 1,925
Default

Yes, Let's Encrypt is a great project with the goal of getting HTTPS everywhere.

Definitely support.
Reply With Quote
  #4  
Old Jun 14, 2016, 08:55 AM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,518
Default

While the idea of the project is certainly nice, they've recently been under fire for this incident:
Email Address Disclosures, Preliminary Report, June 11 2016

IMHO this is something which should not happen with a project where the main goal is security.
Reply With Quote
  #5  
Old Jun 14, 2016, 02:03 PM
Nisto's Avatar
Nisto Nisto is online now
VGMdb Staff
 
Join Date: Sep 2009
Posts: 1,143
Default

I'm glad someone brought it up. Been feeling like it's long overdue. They may have issues, but it's free and automatic certificate renewal is a big plus for security of course. And it's still better than no security.
Reply With Quote
  #6  
Old Jun 16, 2016, 02:24 PM
Datschge's Avatar
Datschge Datschge is offline
Trusted Editor
 
Join Date: Mar 2008
Posts: 671
Default

Quote:
Originally Posted by LiquidAcid View Post
While the idea of the project is certainly nice, they've recently been under fire for this incident:
Email Address Disclosures, Preliminary Report, June 11 2016

IMHO this is something which should not happen with a project where the main goal is security.
It's possible to request a certificate without giving any email. The email is only used for notification about pending expiration of the certificates, which are valid only for 90 days each. Also while incredibly stupid (just like their client assuming full admin access on the server while wanting to be able to update itself, a real security nightmare) I honestly can't imagine this being a huge actual issue, every webmaster worth his salt would use a semi public standard email like hostmaster@domain.tld instead a personal one.
Reply With Quote
  #7  
Old Jun 17, 2016, 12:43 AM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,518
Default

The problem is not that the issue is related to email address disclosure, but that it shows that the project is struggling with minor/trivial tasks. Security is based on trust. I have to trust "Let's Encrypt" that their do their cerfication correctly and that nobody else has access to their infrastructure. And this incident at least doesn't increase my trust.

That is why I kinda disagree with Nisto. No security is better than the false sense of security, which is deceiving and dangerous.
Reply With Quote
  #8  
Old Jun 17, 2016, 02:56 AM
nextday's Avatar
nextday nextday is offline
VGMdb Staff
 
Join Date: May 2011
Posts: 1,925
Default

There's been nothing to indicate that the certification itself is insecure, as far as I know.

The email issue was caused by a poorly designed feature in the Python package they were using. They were very quick to react, with less than 2% of the emails being sent. It could have been much worse.
Reply With Quote
  #9  
Old Jun 17, 2016, 09:30 AM
Datschge's Avatar
Datschge Datschge is offline
Trusted Editor
 
Join Date: Mar 2008
Posts: 671
Default

Quote:
Originally Posted by LiquidAcid View Post
No security is better than the false sense of security, which is deceiving and dangerous.
This is a patently and dangerously false statement. Let's Encrypt is little more than basic level certification without identification, something that was already possible with self signing before which has been a major hassle since all browsers either make it impossible or hard to add exceptions. The actual security between client and server is fully up to the crypts supported by the client and server, Let's Encrypt is in no way involved anymore at that point.

If you want to talk about false sense of security you should rather look at root cert authority Symantec/VeriSign buying BlueCoat, a company allegedly involved in creating and selling spyware to oppressive countries. Any root cert authority included in your system has the ability to create faked certs for any site, allowing them to hide man in the middle attacks that otherwise would generate certificate errors.
Reply With Quote
  #10  
Old Jun 17, 2016, 09:39 AM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,518
Default

I wasn't talking about the Let's Encrypt project when I commented on Nisto's statement.
Reply With Quote
  #11  
Old Jun 17, 2016, 10:03 AM
Datschge's Avatar
Datschge Datschge is offline
Trusted Editor
 
Join Date: Mar 2008
Posts: 671
Default

Nisto is clearly talking about the Let's Encrypt project though.
Reply With Quote
  #12  
Old Jun 17, 2016, 02:22 PM
LiquidAcid LiquidAcid is offline
Trusted Editor
 
Join Date: May 2008
Posts: 1,518
Default

I was only adressing this specific snippet
Quote:
Originally Posted by Nisto
And it's still better than no security.
with this part of my message.
Quote:
Originally Posted by LiquidAcid
That is why I kinda disagree with Nisto. No security is better than the false sense of security, which is deceiving and dangerous.
This is independant of the Let's Encrypt or even SSL/TLS context for me. And I still stand by this. Don't just adopt something because it advertises itself with security, but properly evaluate first if this is really the case.

Is it with Let's Encrypt? I don't know, and honestly it's not me who decides who to trust in this case.

Anyway, the aforementioned fake cert issue to allow man-in-the-middle attacks can also happen here. You need to trust them that they really keep their root CA offline (reference) and secure. Also I'm well aware of VeriSign and their dealings. In my opinion the whole SSL system with CAs is a broken mess, not so much because of the algorithms involved but more because it doesn't properly handle the (corrupt) human factor.
Reply With Quote
  #13  
Old Jun 18, 2016, 04:09 AM
Datschge's Avatar
Datschge Datschge is offline
Trusted Editor
 
Join Date: Mar 2008
Posts: 671
Default

Quote:
Originally Posted by LiquidAcid View Post
Anyway, the aforementioned fake cert issue to allow man-in-the-middle attacks can also happen here. You need to trust them that they really keep their root CA offline (reference) and secure.
There is a huge difference between simply offering a secure connection (which is what's Let's Encrypt makes easy to make use of) and pretending to be someone else (full TLS certificates are used to not only enable secure connections but also identify the server as the correct endpoint for an verified company or individual, that's something Let's Encrypt doesn't offer and is where man in the middle attacks really hurt).

I agree the CA system is rotten. The only conclusion can be that trustworthy servers take the matter in their own hands and need to have certificate and public key pinning implemented for man in the middle attacks to be impossible. Once that's done (and all browsers support HPKP, booh Microsoft and Apple...) the choice of CA doesn't really matter anymore.

Anyway going back to the encrypted vs. plain text connection debate, the former is always better even if it may be not actually perfectly secured (which is completely in the hands of the server maintainers nowadays), the latter always allows everybody to do any and all ways of abuse on the connection and you won't ever notice.
Reply With Quote
  #14  
Old Jun 19, 2016, 01:05 AM
ibmibmibm ibmibmibm is offline
Junior Member
 
Join Date: Mar 2012
Posts: 3
Default

There's a protocol that defending Man-In-The-Middle attack over https, called [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning).
This is done by adding a certification hash value in the HTTP response header, and the browser will record this hash in a specified period.
Reply With Quote
  #15  
Old Oct 14, 2017, 07:21 AM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,364
Default

An update on this: I've obtained an SSL cert for VGMdb. Although I went with DigiCert for now rather than Let's Encrypt. (I specifically avoided anything Symantec / VeriSign / etc due to this).

I had to fix a lot of places in the code that hardcoded the protocol, so please test out the HTTPS site and let me know if there's any bad redirects, insecure mixed content links and so on.

https://vgmdb.net
Reply With Quote
  #16  
Old Oct 21, 2017, 08:18 AM
ibmibmibm ibmibmibm is offline
Junior Member
 
Join Date: Mar 2012
Posts: 3
Default

According to SSL report from ssllabs:
https://www.ssllabs.com/ssltest/anal...ml?d=vgmdb.net
Many ssl settings need to be adjust.

This site provide a config generator for apache and nginx sevrer:
https://mozilla.github.io/server-sid...fig-generator/
Reply With Quote
  #17  
Old Oct 21, 2017, 04:43 PM
Gigablah's Avatar
Gigablah Gigablah is offline
VGMdb Administrator
 
Join Date: May 2007
Posts: 2,364
Default

Thanks. I've already tried those resources. Unfortunately we're running on an old OS so some settings can't be used. In order to get an A grade we'll have to install a new OS and upgrade all our system software, which is something I plan to do after I move some other tenants off the server.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump