[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple

TxMoose kyle at txmoose.com
Tue Mar 14 11:52:27 EDT 2017


This point falls exactly into what I mean by "understanding the 
limitations of the system."  That being said, *many* paid certs these 
days do literally no more checking than LE does.

On top of that, you can verify LE certs via DNS TXT records, which is 
suppose to be identity validation, as only the domain owner should be 
able to create the TXT record AND the registrar should verify at least 
valid contact information yearly, if not more.

He stated that he really only needed it for internal users, though, so I 
think it would fall right in line with his needs.

---
Very respectfully,
Kyle Brieden

On 14-03-2017 11:11, Scott M. Jones wrote:
> Let's Encrypt does an excellent job at encryption but only does just
> that.  It does not provide any confirmation of identity which is the
> other major job that cert's do.  If you are developing a site that
> requests or displays sensitive customer information, a commercial cert
> might be a better choice.
> 
> -Scott
> 
> 
> On 3/14/17 11:06 AM, TxMoose wrote:
>> +1 for Let's Encrypt.  It is an excellent solution, as long as you're
>> willing to put in an afternoon to:
>> 
>> 1. Understand what the platform is and is not for
>> 2. Understand the limitations based on point 1
>> 3. Properly configure your environment/automation, if you have any
>> 4. Set up automation (read: a single cron command) to renew certs
>> 5. Ensure you have audit procedures in place to prune unneeded certs
>> when necessary
>> 
>> 
>> I personally use LE for all my things, including my NextCloud 
>> instance,
>> my email server, and my resume.  I have 2 machines that check for 
>> expiry
>> every Monday at 2AM and replace certs that are within 30 days of
>> expiring.  It is entirely automated, and I get emails that tell me 
>> what
>> was and was not updated.
>> 
>> Let's Encrypt is, hands down, one of the best things that has ever
>> happened to the modern internet.
>> 
>> ---
>> Very respectfully,
>> Kyle Brieden
>> 
>> On 14-03-2017 10:53, Scott Plante wrote:
>>> Apparently Chrome was just rejecting StartCOM / StartSSL certs issued
>>> after Oct 2016, but starting with v57 just released, it's rejecting
>>> all StartSSL certs except Alexa top 1M sites. I started getting
>>> complaints this morning about our internal mail server. We've been
>>> using paid SSL for customer stuff, but StartSSL for various domains
>>> used just by our own people.
>>> 
>>> I have paid for, and never minded the StartSSL revocation fee. My
>>> understanding is that the resources needed to issue a cert are fairly
>>> low, but the clients across the world constantly checking for
>>> revocations takes a lot more, hence putting the fee there.
>>> 
>>> I see LetsEncrypt / certbot being suggested for free certs now. Has
>>> anyone tried them or have any thoughts? I suppose now I'm going to
>>> have to make a move. InCommon isn't an option for us.
>>> 
>>> https://letsencrypt.org/
>>> https://certbot.eff.org/
>>> 
>>> Scott
>>> 
>>> -------------------------
>>> 
>>> FROM: "Jim Kinney" <jim.kinney at gmail.com>
>>> TO: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org>
>>> SENT: Monday, January 30, 2017 5:05:46 PM
>>> SUBJECT: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
>>> Google,        Apple
>>> 
>>> Yes. All the work stuff that public sees is InCommon. All the work
>>> stuff for department only is self signed from our CA.
>>> 
>>> For the stuff that really matters, it's self-signed, private CA and
>>> client certs as well.
>>> 
>>> On Jan 30, 2017 5:00 PM, "Lightner, Jeffrey"
>>> <JLightner at dsservices.com> wrote:
>>> 
>>>> Self signed certificates may work for purely internal setups but for
>>>> web services presented to the outside world they seldom do.
>>>> 
>>>> If I were to go to emory.edu [1] and it asked me to accept a self
>>>> signed certificate rather than one from a well known CA I’d
>>>> probably abandon the connection on the theory it was a spoof.   One
>>>> doesn’t buy certificates because of a desire to spend money –
>>>> one buys certificates so others can reasonably trust (based on the
>>>> CA) the certificate is valid.
>>>> 
>>>> Even if I knew and trusted someone at Emory who could provide me
>>>> with the root certificate on the servers there I’d likely not
>>>> bother to import it just due to the annoyance factor.   Having to
>>>> install root certificates for well known CAs is all well and good.
>>>> Having to install them for everyone that decides they want to self
>>>> sign would be an administrative nightmare.
>>>> 
>>>> On checking just now it appears Emory uses a specific CA called
>>>> “InCommon” apparently built specifically for .edu sites.
>>>> 
>>>> FROM: ale-bounces at ale.org [mailto:ale-bounces at ale.org] ON BEHALF OF
>>>> Jim Kinney
>>>> SENT: Monday, January 30, 2017 4:30 PM
>>>> TO: Atlanta Linux Enthusiasts - Yes! We run Linux!
>>>> SUBJECT: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
>>>> Google, Apple
>>>> 
>>>> All of my certs are self signed from my own CA. If you don't trust
>>>> them, you don't need to be there anyway.
>>> 
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] http://emory.edu
>>> 
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list