Announcement

Collapse
No announcement yet.

Free SSL certificates

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Free SSL certificates

    In case you haven't heard, LetsEncrypt is a really cool/neat platform that gives you a free valid SSL cert that you have to change every few months.

    The Linux client is a joke, and does all the leg work for you. I just put SSL's on all my home sites ( abe.cx, plex.abe.cx, transmission.abe.cx, etc... ) and they work great.


    This quick run down, you'll need EPEL repos if you dont have them:

    # yum install httpd mod_ssl python-certbot-apache
    # certbot --apache -d abe.cx -d plex.abe.cx -d news.abe.cx -d tv.abe.cx -d transmission.abe.cx
    # apachectl configtest
    # apachectl graceful
    # echo "0 0 * * * root /bin/certbot renew" > /etc/cron.d/sslRenew

  • #2
    What are you going on about?

    Comment


    • #3
      Originally posted by Craizie View Post
      What are you going on about?
      Free SSL certificates!$#E

      Comment


      • #4
        Originally posted by abecx View Post
        Free SSL certificates!$#E
        That didn't clarify anything for me.

        Comment


        • #5
          you usually have to pay for the certs, these are free, certs are for encryption and pay certs certify that they are legit
          Interested in being a VIP member and donating to the site? Click here http://dfwmustangs.net/forums/payments.php

          Comment


          • #6
            I feel like would be following along a lot better if I had attended the mysql class.

            Comment


            • #7
              FYI, lots of major companies (like mine) who use web proxies block certs from LetsEncrypt due to weak encryption and vulnerabilities. Not that I'm saying it's not a good deal for some smaller companies and people who just want some level of encryption, but if it's for anything bigger than a small business it's not a good route for you.
              Originally posted by stevo
              Not a good idea to go Tim 'The Toolman' Taylor on the power phallus.

              Stevo

              Comment


              • #8
                Originally posted by bird_dog0347 View Post
                FYI, lots of major companies (like mine) who use web proxies block certs from LetsEncrypt due to weak encryption and vulnerabilities. Not that I'm saying it's not a good deal for some smaller companies and people who just want some level of encryption, but if it's for anything bigger than a small business it's not a good route for you.
                I think its a fair request to be specific in these accusations. LetsEncrypt is not weak encryption or any more vulnerable than any other type of SSL platform. Nothing I see about using their platform would indicate the encryption is weak seeing as I am using the same encryption level with a paid cert, nor does it show any more vulnerability. I would love to read something tangible that would indicate otherwise.

                Comment


                • #9
                  I'll ask my security guys for the documentation... I just know our company blocks it and the reasons above are what they gave me. Honestly I never gave a shit before but I'll try to dig deeper.
                  Originally posted by stevo
                  Not a good idea to go Tim 'The Toolman' Taylor on the power phallus.

                  Stevo

                  Comment


                  • #10
                    Agree the encryption and vuln factor is not less secure in comparison with the big name Authorities. Any vulns would actually exist with the SSL cipher chosen to secure the traffic, which is independent of the Cert Auth.

                    Here's a decent write up on the tech in general.
                    An overview of the features, policies and state of the Let's Encrypt Certificate Authority.


                    The only negative thing I can find and would assume birddogs sec folks are referring to is hackers can spin domains up freely and dynamically to further trick users into thinking a data source is trusted.

                    If you work for xceba.com and a hacker wanted to own you, they may spin up a web site complete with free SSL cert for xceda.com then spearphish your users with a fake email encouraging you to click on this link. This would take an extra attention to detail for a normal or sometimes advanced level user to not click on it.

                    Easy enough to just block all Cert Auth from letsencrypt, takes an arguable (small) percentage of the attack surface off their network for click happy users.

                    As letencrypt becomes more popular, a IT Sec team will have to make a decision to allow the content or not.
                    WRX

                    Comment


                    • #11
                      But that is technically true of any domain using ssl, and that is more of a user end problem than a LetsEncrypt problem. As well, you can further verify your domain using their platform if you need the ownership proof, I was going to do that for this post but got lazy.

                      Comment


                      • #12
                        Originally posted by bird_dog0347 View Post
                        FYI, lots of major companies (like mine) who use web proxies block certs from LetsEncrypt due to weak encryption and vulnerabilities. Not that I'm saying it's not a good deal for some smaller companies and people who just want some level of encryption, but if it's for anything bigger than a small business it's not a good route for you.
                        Originally posted by abecx View Post
                        I think its a fair request to be specific in these accusations. LetsEncrypt is not weak encryption or any more vulnerable than any other type of SSL platform. Nothing I see about using their platform would indicate the encryption is weak seeing as I am using the same encryption level with a paid cert, nor does it show any more vulnerability. I would love to read something tangible that would indicate otherwise.
                        Originally posted by bird_dog0347 View Post
                        I'll ask my security guys for the documentation... I just know our company blocks it and the reasons above are what they gave me. Honestly I never gave a shit before but I'll try to dig deeper.

                        Here is what I found out from the Security team for the reasons we were blocking those certs.

                        "Since mid-2014 there has been a shift of more web sites securing themselves with SSL certificates. In my opinion, this was primarily driven by Google’s announcement that sites with HTTPS would be given a ranking boost in searches. In early 2016 a new company called Let’s Encrypt began supplying free SSL certificates, with little to no validation to the legitimacy of the requestor. Over the past 6 months there has been a tremendous increase in the number of sites using these certificates. Unfortunately, a lot are malicious. A report conducted by Netcraft found that Let’s Encrypt certificates were being issued to tens of thousands phishing and fraud sites. https://news.netcraft.com/archives/2...-phishing.html. In addition to securing the connectivity between your browser and the server, the certificate played a role in notifying the user that the site was “Secure”. The practices of Let’s Encrypt send a false sense of trust to end users."
                        Originally posted by stevo
                        Not a good idea to go Tim 'The Toolman' Taylor on the power phallus.

                        Stevo

                        Comment


                        • #13
                          Those reasons are more to protect the network from stupid users and soft system administration, not because of any lack of security on LetsEncrypts part.

                          Personally, the listed reasons are bullshit and sound like someone trying to defend ComodoSSL certs being sold at $300 a year to a potential customer.

                          Comment

                          Working...
                          X