[Cryptography] letsencrypt.org

Phillip Hallam-Baker phill at hallambaker.com
Sat Sep 16 12:31:20 EDT 2017 

On Wed, Sep 13, 2017 at 5:11 PM, Viktor Dukhovni <cryptography at dukhovni.org>
wrote:

>
> > On Sep 13, 2017, at 4:55 PM, Perry E. Metzger <perry at piermont.com>
> wrote:
> >
> > Note my security caveat isn't about the certificates being somehow
> > less good than other certificates. It is that someone gaining
> > temporary control of a server for your domain is in a good position to
> > also get a cert for your domain signed. Of course, absent a system
> > like Certificate Transparency, or cert pinning, that's the case
> > anyway, so perhaps I'm being paranoid.
>
> Let's Encrypt just makes it ever more clear that the WebPKI (a few
> EV certificates aside along with the few users who notice the
> difference) is and has been a leap of faith by the DV-issuing CA.
>

​I can't parse that.

The objective of Let's Encrypt is to go to a 100% encrypted Web. That has
obvious benefits if all you care about is stopping mass surveillance. But
that is not the only effect.

Once you decide that every Web site has to have a certificate, it follows
that either CAs become censors or there must be some class of certificate
that can be obtained by any party with a valid ICANN domain name. This is
very problematic because the WebPKI was not developed for confidentiality,
it was developed to provide authentication and accountability. If you
recall, we were limited to 40 bit crypto in the early days of SSL.


Thus certificate issuance is fundamentally vulnerable to MiTM
> attacks on the CA by folks in position to launch active attacks
> on the network backbone.  You're really only protected from
> WiFi and similar attacks at cafes, airports, ... by attackers
> who can MiTM the end-users network connection.
>
> With BGP attacks and the like, a determined adversary will
> be able to get a DV certificate for most domains from some
> DV-issuing CA.
>

​The rather subtler issue with LE is that the single most effective check
in the DV system for consumer protection is the pre and post issue checks
on the credit card. Phishing sites didn't like using DV certs because they
had to use phished credentials to get the cert. If the fraud was
discovered, they would lose the site.​




> I tried to suggest at a recent IETF meeting that CAs should
> use DNSSEC-validating resolvers when querying CAA records,
> to reduce this MiTM risk, but got rather strange pushback
> from PHB on behalf of Comodo.  FWIW, Let's Encrypt does in
> fact do validated DNS resolution.
>

​You were unclear then. The specification makes clear that CAs are required
to perform DNSSEC validation if a zone is signed. However a zone is not
required to have DNSSEC to publish a CAA record. That is intentional
because conflating the two is what killed DANE.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170916/2cd32cca/attachment.html>

More information about the cryptography mailing list