[Cryptography] letsencrypt.org

Ben Tasker ben at bentasker.co.uk
Thu Sep 14 04:13:23 EDT 2017 

On Wed, Sep 13, 2017 at 10:53 PM, Ron Garret <ron at flownet.com> wrote:

>
> On Sep 13, 2017, at 1:55 PM, Perry E. Metzger <perry at piermont.com> wrote:
>
> > On Wed, 13 Sep 2017 14:18:40 -0400 "Bayuk" <jennifer at bayuk.com> wrote:
> >> Has anyone on this list contributed to  https://letsencrypt.org/ -
> >> and/or otherwise have personal experience, caveats, recommendations
> >> with respect to the current service or roadmap?
> >
> > It works. I use it a lot for random sites where I don't care deeply
> > about the security of the system.
> >
> > Note my security caveat isn't about the certificates being somehow
> > less good than other certificates. It is that someone gaining
> > temporary control of a server for your domain is in a good position to
> > also get a cert for your domain signed. Of course, absent a system
> > like Certificate Transparency, or cert pinning, that's the case
> > anyway, so perhaps I'm being paranoid.
>
> Right.  An attacker who gets access to any machine that has a DNS record
> for your domain can get a cert for your domain using LE.  This is true
> whether or not you use it (because an attacker can just install it
> themselves) so this is not a good reason not to use it.
>

That's not actually entirely true, assuming you've taken the steps you need
to.

Letsencrypt checks for CAA records in your DNS when being asked to issue a
certificate, so if you've got a preferred CA and have stuck their details
in there, then the attacker can install LetsEncrypt but won't actually be
issued a certificate.

Ballot 187 passed recently(ish) at the CAB forum, so as of a few days ago,
it's mandatory for CAs to check (and honour) CAA records - giving you more
control over who's actually allowed to issue certs for your domain.

Of course, if you're running an authoritative nameserver on the same box,
then whoever popped your machine can helpfully undo all that just long
enough to grab a valid cert, but nothing's perfect.



>
> rg
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170914/4231057e/attachment.html>

More information about the cryptography mailing list