"Let's Encrypt" by the Internet Security Research Group (ISRG)
Does anyone here know anything about "Let's Encrypt" by the Internet Security Research Group (ISRG)? https://letsencrypt.org/ They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates? A colleague of mine tipped me off onto this, and he especially is wondering. Hartmut W Sager - Tel +1-204-339-8331
Oops, I meant to add their main statement: Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Hartmut W Sager - Tel +1-204-339-8331 On 5 February 2017 at 06:10, Hartmut W Sager <hwsager@marityme.net> wrote:
Does anyone here know anything about "Let's Encrypt" by the Internet Security Research Group (ISRG)?
They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates?
A colleague of mine tipped me off onto this, and he especially is wondering.
Hartmut W Sager - Tel +1-204-339-8331 <(204)%20339-8331>
I've used letsencrypt for a while, on a few sites. Everything they do seems to be, for the most part, completely in line with their goal of making the entire web HTTPS. They focus a great deal on ease of setup, so that anyone and everyone can start using HTTPS. You download a program, run it, select which sites, and you're done. It auto-renews the certificates as they're about to expire, etc. Automatic integration with apache and (I think) nginx. I don't know how this measures up with other free certs, but of all the ones I've tried, it certainly was the easiest to set up. Keep in mind, though, all my experience with it is anecdotal, and I know very little about who they actually are, aside from what they do. On Sun, Feb 5, 2017 at 6:13 AM, Hartmut W Sager <hwsager@marityme.net> wrote:
Oops, I meant to add their main statement:
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
Hartmut W Sager - Tel +1-204-339-8331 <(204)%20339-8331>
On 5 February 2017 at 06:10, Hartmut W Sager <hwsager@marityme.net> wrote:
Does anyone here know anything about "Let's Encrypt" by the Internet Security Research Group (ISRG)?
They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates?
A colleague of mine tipped me off onto this, and he especially is wondering.
Hartmut W Sager - Tel +1-204-339-8331 <(204)%20339-8331>
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2017-02-05 Hartmut W Sager wrote:
They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates?
Like David said, their main thrust is automated deployment. Unfortunately, in my mind that's that's their biggest downside. You *must* use their automated tools: AFAIK they provide no normal manual/email way to obtain their certs. That means any processes you've created in-house to handle certs (like I have) are instantly incompatible and would require modification. And it's not just the cert files, their tools auto-edit apache configs, etc. Also, I'm not sure if their tools tie the cert into other SSL-able daemons like sendmail, or if that's even possible given their cert settings. Also, they issue certs only for 3 months at a time, which kind of necessitates their automated tools. It's kind of funny, they concentrate so much on deployment when I think the main impediment to most people vis a vis SSL is cost. They have the cost thing beat (free) but then they force you into their proprietary deployment model. Other than that, I'd say they look legit and benign, and we've talked about them at MUUG before and everyone seems to agree. If you don't run any SSL now and you aren't terribly experienced with it, I see no downside to using let's encrypt. If you already have SSL deployed, do your research before jumping on board just to turn your yearly cost into "free". Oh ya, one more good thing about Let's Encrypt: their causing the big players to lower their low-end cert prices a bit! That's always good news.
Yes, the automation is the whole *point* of LetsEncrypt. As you say, the main impediment is cost, which is why they're free - but in order to sustain that cost structure, manual processes must be excised completely and utterly. The 90-day lifetime is a compromise between convenience and security - even if your cert is compromised somehow (say because of badly-implemented automation tools), the compromise is only relevant for 90 days. Obviously, LetsEncrypt isn't going to be issuing and high-assurance certificates; their goal is simply to get *everyone* to encrypt, to eliminate the cost issue as an excuse. Many people much smarter than I have complained that the biggest problem with LetsEncrypt is that they appeared at exactly the wrong time; that their existence will cause the entire (badly broken) PKI system to *not* simply fall into disuse now, which was otherwise being predicted as a near- to medium-term consequence of its fundamental brokenness and multiple compromises. I'm already using LetsEncrypt certificates in a couple of places, where I don't care about the "quality" of the certificate; it's automatically "better" than a self-signed certificate unless you're both extremely cautious AND inhumanly diligent. For me, it's more a convenience tool to get rid of the browser's warning page upon encountering a self-signed cert. Note also that LetsEncrypt certificates, unlike self-signed certificates, work with opportunistic TLS in SMTP. -Adam
-----Original Message----- From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Trevor Cordes Sent: February 5, 2017 16:35 To: roundtable@muug.ca Subject: Re: [RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)
On 2017-02-05 Hartmut W Sager wrote:
They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates?
Like David said, their main thrust is automated deployment. Unfortunately, in my mind that's that's their biggest downside. You *must* use their automated tools: AFAIK they provide no normal manual/email way to obtain their certs. That means any processes you've created in-house to handle certs (like I have) are instantly incompatible and would require modification. And it's not just the cert files, their tools auto-edit apache configs, etc. Also, I'm not sure if their tools tie the cert into other SSL-able daemons like sendmail, or if that's even possible given their cert settings.
Also, they issue certs only for 3 months at a time, which kind of necessitates their automated tools.
It's kind of funny, they concentrate so much on deployment when I think the main impediment to most people vis a vis SSL is cost. They have the cost thing beat (free) but then they force you into their proprietary deployment model.
Other than that, I'd say they look legit and benign, and we've talked about them at MUUG before and everyone seems to agree. If you don't run any SSL now and you aren't terribly experienced with it, I see no downside to using let's encrypt. If you already have SSL deployed, do your research before jumping on board just to turn your yearly cost into "free".
Oh ya, one more good thing about Let's Encrypt: their causing the big players to lower their low-end cert prices a bit! That's always good news. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
Well, Let's Encrypt is a service provided by the Internet Security Research Group <https://en.wikipedia.org/wiki/Internet_Security_Research_Group> (ISRG), a public benefit <https://en.wikipedia.org/wiki/Public_benefit> organization. Major sponsors are the Electronic Frontier Foundation <https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation> (EFF), the Mozilla Foundation <https://en.wikipedia.org/wiki/Mozilla_Foundation>, OVH <https://en.wikipedia.org/wiki/OVH>, Akamai <https://en.wikipedia.org/wiki/Akamai_Technologies>, and Cisco Systems <https://en.wikipedia.org/wiki/Cisco_Systems>. Other partners include the certificate authority IdenTrust <https://en.wikipedia.org/wiki/IdenTrust>, the University of Michigan <https://en.wikipedia.org/wiki/University_of_Michigan> (U-M), the Stanford Law School <https://en.wikipedia.org/wiki/Stanford_Law_School>, the Linux Foundation <https://en.wikipedia.org/wiki/Linux_Foundation>[18] <https://en.wikipedia.org/wiki/Let's_Encrypt#cite_note-ISRG-LF-18> as well as Stephen Kent from Raytheon <https://en.wikipedia.org/wiki/Raytheon>/BBN Technologies <https://en.wikipedia.org/wiki/BBN_Technologies> and Alex Polvi from CoreOS <https://en.wikipedia.org/wiki/CoreOS>. So... How far do you trust any or all of the above? On Sun, Feb 5, 2017 at 7:58 PM, Adam Thompson <athompso@athompso.net> wrote:
Yes, the automation is the whole *point* of LetsEncrypt. As you say, the main impediment is cost, which is why they're free - but in order to sustain that cost structure, manual processes must be excised completely and utterly. The 90-day lifetime is a compromise between convenience and security - even if your cert is compromised somehow (say because of badly-implemented automation tools), the compromise is only relevant for 90 days. Obviously, LetsEncrypt isn't going to be issuing and high-assurance certificates; their goal is simply to get *everyone* to encrypt, to eliminate the cost issue as an excuse. Many people much smarter than I have complained that the biggest problem with LetsEncrypt is that they appeared at exactly the wrong time; that their existence will cause the entire (badly broken) PKI system to *not* simply fall into disuse now, which was otherwise being predicted as a near- to medium-term consequence of its fundamental brokenness and multiple compromises. I'm already using LetsEncrypt certificates in a couple of places, where I don't care about the "quality" of the certificate; it's automatically "better" than a self-signed certificate unless you're both extremely cautious AND inhumanly diligent. For me, it's more a convenience tool to get rid of the browser's warning page upon encountering a self-signed cert. Note also that LetsEncrypt certificates, unlike self-signed certificates, work with opportunistic TLS in SMTP. -Adam
-----Original Message----- From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Trevor Cordes Sent: February 5, 2017 16:35 To: roundtable@muug.ca Subject: Re: [RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)
On 2017-02-05 Hartmut W Sager wrote:
They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache, Linux, etc., etc., yet they express similar philosophies. Who are they? How credible are they and their effort? And how does their effort compare to other free security certificates?
Like David said, their main thrust is automated deployment. Unfortunately, in my mind that's that's their biggest downside. You *must* use their automated tools: AFAIK they provide no normal manual/email way to obtain their certs. That means any processes you've created in-house to handle certs (like I have) are instantly incompatible and would require modification. And it's not just the cert files, their tools auto-edit apache configs, etc. Also, I'm not sure if their tools tie the cert into other SSL-able daemons like sendmail, or if that's even possible given their cert settings.
Also, they issue certs only for 3 months at a time, which kind of necessitates their automated tools.
It's kind of funny, they concentrate so much on deployment when I think the main impediment to most people vis a vis SSL is cost. They have the cost thing beat (free) but then they force you into their proprietary deployment model.
Other than that, I'd say they look legit and benign, and we've talked about them at MUUG before and everyone seems to agree. If you don't run any SSL now and you aren't terribly experienced with it, I see no downside to using let's encrypt. If you already have SSL deployed, do your research before jumping on board just to turn your yearly cost into "free".
Oh ya, one more good thing about Let's Encrypt: their causing the big players to lower their low-end cert prices a bit! That's always good news. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
_______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On Sun, Feb 5, 2017 at 4:35 PM, Trevor Cordes <trevor@tecnopolis.ca> wrote:
Like David said, their main thrust is automated deployment. Unfortunately, in my mind that's that's their biggest downside. You *must* use their automated tools: AFAIK they provide no normal manual/email way to obtain their certs. That means any processes you've created in-house to handle certs (like I have) are instantly incompatible and would require modification. And it's not just the cert files, their tools auto-edit apache configs, etc. Also, I'm not sure if their tools tie the cert into other SSL-able daemons like sendmail, or if that's even possible given their cert settings.
Also, they issue certs only for 3 months at a time, which kind of necessitates their automated tools.
It's kind of funny, they concentrate so much on deployment when I think the main impediment to most people vis a vis SSL is cost. They have the cost thing beat (free) but then they force you into their proprietary deployment model.
Other than that, I'd say they look legit and benign, and we've talked about them at MUUG before and everyone seems to agree. If you don't run any SSL now and you aren't terribly experienced with it, I see no downside to using let's encrypt. If you already have SSL deployed, do your research before jumping on board just to turn your yearly cost into "free".
Oh ya, one more good thing about Let's Encrypt: their causing the big players to lower their low-end cert prices a bit! That's always good news.
If you're interested in using their free certs in a less automated way, you can use other tools.. For instance I LOVE https://github.com/lukas2511/dehydrated Its bash. I use a modified version of the hook on this page: https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/ to automatically reload postfix and dovecot and nginx if a cert that affects them is renewed. I also use the powerdns API hook script extensively. I find this way much easier to digest (along with my own automation using their hooks) than their "here trust me to do exactly what you want with your configs". Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ http://mbix.ca/
Thank you all for the excellent replies! That helps hugely. Hartmut W Sager - Tel +1-204-339-8331
participants (6)
-
Adam Thompson -
David Dyck -
Hartmut W Sager -
Kevin McGregor -
Theodore Baschak -
Trevor Cordes