Follow

Hm, apparently now provides mor than 50% of the web certificates.

On one hand: FUCKING AWESOME.

On the other: Shit. They're getting very powerful and we are centralizing our trust. I think we could reallu use 2-3 new orgs like Letsencrypt, with similar technology and mission statement, but entirely independent.

Are there any out there yet?

@thunfisch CAs were always centralized tbh. It takes a lot of trust and shit

@Michcioperz @thunfisch Yeah, but they weren't centralised to the degree that *one* CA had so much influence.

@rixx perfectly explained the point I was trying to make.

@Michcioperz

@rixx @Michcioperz @thunfisch they were centralized wrt. to integrity - every CA was a single point of failure. You compromise any of them, and you pwn every TLS connection.
OTOH, they were not centralized with regard to availability - if one of them decides to censor you, you go find another one.
If everyone uses letsencrypt, it'll be centralized in both aspects. The chance of your MITM will not increase, I'd even say it'll decrease. OTOH, it'd be easier to prevent sb from ever getting a cert.

@thunfisch @alcinnz the biggest factor is "do the popular browsers trust the CA?". You can make your own cert (self sign), there are 3rd parties who will give a free cert, and have been for years. But if most regular users see big scary ssl warnings (which they should!), then it's a nonstarter alas....

@ebel @alcinnz

yep. If a CA is not in the browsers trust it is prety much useless for general purpose, because people will be scared that 1337-h4xX0rs are in their computers.

I was asking about any CAs like LE, that are trusted by most browsers so that people don't panic when I use it on a public site.

@thunfisch @alcinnz

IMO #LetsEncrypt has 2 big benefits, (a) free certs! (b) really easy to use. Seriously just run a command and it will make your Apache conf right. I'm a sysadmin, and I use LE, even when there's a paid for cert available, because it's just much much easier.

The free part is a biggie, and LE was first with widespread support. But other ssl vendors could work on the UI, could implement ACME, and make the experience as good. That might help

@ebel @thunfisch @alcinnz I'm most definitely not a sysadmin, and I use LE with acme.sh, because even a non-sysadmin can (with some difficulty) successfully deploy it on a small personal website with no root access.

@thunfisch Yes, there's a disaster waiting to happen:

- browsers are slowly deprecating http (or make it scary)
- certs providers are pushing for increasingly shorter expiry dates
- #letsencrypt usage is based on a TOS, in which they reserve the right to terminate any account as they wish.

With these 3 things combined, letsencrypt is building yet another ON/OFF switch for the web and other networked services.

Hopefully more, from different jurisdictions will jump in and provide alternatives.

@thunfisch Wow, where did you see that 50% stat? The power issue is significant, but I worry about what would happen to the web if LE were to fail or get attacked.

@thunfisch how about putting a self-signed/web-of-trust-like cert into DNS? and I think with that as a goal centralizing to a NPO in first step seems a discussable idea.

@thunfisch When it was starting off I recall their internal procedures and software/hardware was not as open as one would've hoped, but it might have improved.
@thunfisch Still, it's not an easy thing since it costs effort and money to get a root accepted.
@pettter @thunfisch CACert (remember them ?) has been trying to get their root in Mozilla for  15 years https://bugzilla.mozilla.org/show_bug.cgi?id=215243
@boneidol @thunfisch Indeed? It seems on that particular bug the request was withdrawn ~10 years ago. Not sure if there is a new one, or what criteria they are missing for inclusion? 
@pettter @boneidol @thunfisch CAcert.org were going to do a proper audit and try again. I don't know if that has happened yet. Competing with a free service sponsored by the largest Internet related corporations isn't going to be easy

@thunfisch CAcert ? cacert.org/ It provides gratis certificates and a nice automatic interface for a long time.

@bortzmeyer @thunfisch And took years to get their routines in auditable shape and finally gave up.
@thunfisch @michcioperz @ebel @edsu @pettter @bortzmeyer I wish #httpy had become a thing. I'm pretty sure that's what it was called, but I can't find a reference now.

Linker-certified certs:

httpy://<fingerprint of self-signing CA>:example.com/blah/blah

Failing the existance of this, what we should do for most public data is just more content-addressed stuff.

@bortzmeyer
Except that's it's poorly supported by web browser, the original preoccupation
@clacke @ebel @edsu @thunfisch @Michcioperz @pettter

@thunfisch I called this years ago when the project was announced.

Who is going to find the alternative? There's no money in it
@feld @thunfisch Yup. There is no alternative simply as an alternative within the same system. The alternative must be another system.

@thunfisch
Before there was more or less only a single CA that would issue for free certificates Startcom, so it was still a monopol before

@thunfisch you can spin up your own entire letsencrypt stack, the only problem will be getting people to accept the certs you sign.

@thunfisch The "web of trust" is broken and centralized by design because you can't simply "open" a CA. You need to be trusted by some other CA that has been around for quite some time, because otherwise old devices will mark your page as insecure since your certificate chain does not lead to any known "trust anchor" they already know.

Instead of opening more CAs we really need a solution that is encrypted and trustless by default.

@thunfisch @thomas There was still #cacert who began with web of trust. But the CA isn't in any browser by default.
They have to implement the acme protocol and have to audit they ca.

@thunfisch Certificates and the trust they provide is based on a centralized tech. To change that would mean replacing the entire tech (a good idea imho). Also, as we have learned previously, it takes just one "bad" authority to fuck up everything for everyone, so I'm leaning towards "less is more" in this case.

@thunfisch per usual, the problem is in usabity. we can add own/trusted cert and cert authorities to browser's trust chain but the last time I looked it takes > 5 clicks ram.k0a1a.net/self-signed_http

@thunfisch Well… other CAs just have to adopt the standardized ACME protocol and offer free certs. That's not so hard, but they have not done yet.

@thunfisch
i'm really hoping to see an increase in adoption of dane, which circumvents the whole need for certificate authorities

it requires trust in your domain registrar instead, but we have lots of those

@thunfisch
At least let's encrypt defined an open protocol that any CA may replicate.

@thunfisch @scanlime that is a massive project, and tbh I have no idea how LE even got off the ground.

@thunfisch where'd you get the numbers? 50 % is amazing!

Sign in to participate in the conversation
chaos.social

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!