cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Wayne_Evans
Newcomer III

I read this..and unsure if i agree

Hi all,

I read the follow blog post from a John Horst, while I agree at a high level on some of the points

I disagree with the view point about let's encrypt. I think, it a really good idea, and brings at least a small level of TLS to sites that couldn't afford or want to spend cash on a certificate.

What are other people's thoughts?

“Why Let’s Encrypt is a really, really, really bad idea…” by John Horst, CISSP® — ISSAP® https://link.medium.com/zwhWqMCoC8
6 Replies
CraginS
Defender I


@Wayne_Evans wrote:
...
What are other people's thoughts?

“Why Let’s Encrypt is a really, really, really bad idea…” by John Horst, CISSP® — ISSAP® https://link.medium.com/zwhWqMCoC8

Wayne,

I agree with all of John's critiques and operational analysis, but disagree with his final conclusion. He has left out of the overall analysis the risk and threat analysis each potential user-site should have completed. Using TLS (https) for all connections does protect against content monitoring of the traffic. The site seeking that protection must evaluate the level of protection the traffic needs, and the legal and financial impact of being monitored. Even major sites distinguish this aspect by using data classification and allowing some content to travel by http, but protecting other data with https.

Small, or non-commercial sites may not need the legal or financial protection of commercial a CA for site certificates, and may find Let's Encrypt quite suitable.

 

Also, a reminder that end users can gain some added protection of https by using the Electronic Frontier Foundation's browser extension HTTPS Everywhere.

 

Final note, John Horst's LlinkedIn profile says his CISSP-ISSAP expired in 2017.

 

Thank you for posting this article. Lots of good stuff to think about in it, and I appreciate your position on not sure about agreeing.

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
AppDefects
Community Champion

Clearly, Johnny Hurst is looking for an ego boast by trying to create mass hysteria by creating doubt on rock solid technology. Feeling lonely John? COVID-19 got you down? Where's the love? Dissing your "pocket protector" friends for a few likes? Kinda sad...

rslade
Influencer II

> Wayne_Evans (Newcomer III) edited a topic in Threats on 08-02-2020 04:43 AM in

> Hi all, I read the follow blog post from a John Horst, while I agree at a high
> level on some of the points I disagree with the view point about let's encrypt.
> I think, it a really good idea, and brings at least a small level of TLS to
> sites that couldn't afford or want to spend cash on a certificate. What are
> other people's thoughts?

Oh, I agree with Horst. His points are very valid. Public Key Infrastructure is a
non-trivial task, and "Let's Encrypt" is a convenience for people who don't want
to do it properly. At the moment it provides additional protection, but if too
many people start to rely upon it, well, we know that pretty much every major
attack on security uses a weakness that people use for convenience sake ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
The trouble with having an open mind, of course is that people
will insist on coming along and trying to put things in it.
- Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Beads
Advocate I

Have to agree more with @rslade on this one with one remaining question. What beyond the price point makes this attractive? Does Let's Encrypt have better technology? Better defenses? If this is the way to TLS why would any pay for other TLS certificates if otherwise funded?

 

Other than that I get the message but what's the catch? I'm a security guy and always a bit wary when things sound too good to be true.

 

- b/eads

denbesten
Community Champion


@Beads wrote:

What beyond the price point makes this [Let's Encrypt] attractive?


I like the fact that they have short-lived certificates (90 days) and oblige admins to set up auto-renewal as a condition of certificate issuance, and that they respect CAA records (actually a requirement enforced upon CAs).

 

I don't much care about the fact that when I authorize them to issue certs for my domain (CAA), anyone in my organization can request certs.  My current CA will only issue certs for my domain from my account(s).  Although one can work around this by putting the CAA record on the host, it is not quite as elegant.

Zeeman
Newcomer I

Spoiler
Setting up a properly functioning CA will require work and it addresses some of the security challenges that we want to mitigate. As states I like the 90 days time to live as it forces a rest. I too don't agree with the conclusion. Each approach has its own pros/cons thus one has to focus on which item they are trying to mitigate at which cost.