Hm, apparently #letsencrypt now provides mor than 50% of the web certificates.
On one hand: FUCKING AWESOME.
On the other: Shit. They're getting very powerful and we are centralizing our trust. I think we could reallu use 2-3 new orgs like Letsencrypt, with similar technology and mission statement, but entirely independent.
Are there any out there yet?
@thunfisch CAs were always centralized tbh. It takes a lot of trust and shit
@rixx @Michcioperz @thunfisch they were centralized wrt. to integrity - every CA was a single point of failure. You compromise any of them, and you pwn every TLS connection.
OTOH, they were not centralized with regard to availability - if one of them decides to censor you, you go find another one.
If everyone uses letsencrypt, it'll be centralized in both aspects. The chance of your MITM will not increase, I'd even say it'll decrease. OTOH, it'd be easier to prevent sb from ever getting a cert.
@thunfisch @alcinnz the biggest factor is "do the popular browsers trust the CA?". You can make your own cert (self sign), there are 3rd parties who will give a free cert, and have been for years. But if most regular users see big scary ssl warnings (which they should!), then it's a nonstarter alas....
yep. If a CA is not in the browsers trust it is prety much useless for general purpose, because people will be scared that 1337-h4xX0rs are in their computers.
I was asking about any CAs like LE, that are trusted by most browsers so that people don't panic when I use it on a public site.
IMO #LetsEncrypt has 2 big benefits, (a) free certs! (b) really easy to use. Seriously just run a command and it will make your Apache conf right. I'm a sysadmin, and I use LE, even when there's a paid for cert available, because it's just much much easier.
The free part is a biggie, and LE was first with widespread support. But other ssl vendors could work on the UI, could implement ACME, and make the experience as good. That might help
@thunfisch Yes, there's a disaster waiting to happen:
- browsers are slowly deprecating http (or make it scary)
- certs providers are pushing for increasingly shorter expiry dates
- #letsencrypt usage is based on a TOS, in which they reserve the right to terminate any account as they wish.
With these 3 things combined, letsencrypt is building yet another ON/OFF switch for the web and other networked services.
Hopefully more, from different jurisdictions will jump in and provide alternatives.
@thunfisch Wow, where did you see that 50% stat? The power issue is significant, but I worry about what would happen to the web if LE were to fail or get attacked.
@thunfisch thanks, and it looks like the data is here https://nettrack.info/ssl_certificate_issuers.html
@thunfisch any sauce?
@thunfisch how about putting a self-signed/web-of-trust-like cert into DNS? and I think with that as a goal centralizing to a NPO in first step seems a discussable idea.
Before there was more or less only a single CA that would issue for free certificates Startcom, so it was still a monopol before
@thunfisch maybe they should voluntarily split up...
@thunfisch you can spin up your own entire letsencrypt stack, the only problem will be getting people to accept the certs you sign.
@thunfisch The "web of trust" is broken and centralized by design because you can't simply "open" a CA. You need to be trusted by some other CA that has been around for quite some time, because otherwise old devices will mark your page as insecure since your certificate chain does not lead to any known "trust anchor" they already know.
Instead of opening more CAs we really need a solution that is encrypted and trustless by default.
@thunfisch Certificates and the trust they provide is based on a centralized tech. To change that would mean replacing the entire tech (a good idea imho). Also, as we have learned previously, it takes just one "bad" authority to fuck up everything for everyone, so I'm leaning towards "less is more" in this case.
@thunfisch per usual, the problem is in usabity. we can add own/trusted cert and cert authorities to browser's trust chain but the last time I looked it takes > 5 clicks https://ram.k0a1a.net/self-signed_https_cert_after_chrome_58#add_cert_to_the_browser
@thunfisch Well… other CAs just have to adopt the standardized ACME protocol and offer free certs. That's not so hard, but they have not done yet.
i'm really hoping to see an increase in adoption of dane, which circumvents the whole need for certificate authorities
it requires trust in your domain registrar instead, but we have lots of those
At least let's encrypt defined an open protocol that any CA may replicate.
@thunfisch where'd you get the numbers? 50 % is amazing!
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!