Welcome to WebmasterWorld Guest from 34.204.191.31

Forum Moderators: Robert Charlton & goodroi

Message Too Old, No Replies

Move web to HTTPS: Let's Encrypt project, to be launched summer 2015

     
6:18 pm on Nov 19, 2014 (gmt 0)

Full Member

10+ Year Member

joined:Oct 11, 2003
posts:255
votes: 0



System: The following message was cut out of thread at: http://www.webmasterworld.com/google/4693628.htm [webmasterworld.com] by aakk9999 - 5:49 pm on Nov 24, 2014 (gmt 0)


Today EFF, Mozilla, Cisco, and Akamai announced a forthcoming project called Let's Encrypt. Let's Encrypt will be a certificate authority that issues free certificates to any website, using automated protocols. Launching in summer 2015, we believe this will be the missing piece that deprecates the woefully insecure HTTP protocol in favor of HTTPS.

https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web [eff.org]

[edited by: aakk9999 at 5:51 pm (utc) on Nov 24, 2014]
[edit reason] Made link clickable [/edit]

6:02 pm on Nov 24, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 30, 2008
posts:2630
votes: 191


From the site linked to above:
With a launch scheduled for summer 2015, the Letís Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

Good move. But this may put many cheap HTTPS certificate issuers out of business. The advanced certificats that verify company existance will still have the edge.
6:38 pm on Nov 24, 2014 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


This can only be a good move..
But this may put many cheap HTTPS certificate issuers out of business.

Given that the same basic cheap SSL cert can vary in price from $49.00 to $4.99 per year ( same cert authority, exactly the same cert ) depending on if one buys the cert independently $4.99, or if one's host insists upon it ( bought from them at $49.99 ) in order to give one a dedicated IP ( using IPv4 )..

One of my domain registrants ( French ) gives a basic cert with each domain name ..and one of my French hosters offers a dedicated IP free providing one has a cert..

They also offer IPv6 at no extra charge, as does my ISP.

My previous hosters ( USA ) asked for $2.00 per month for each dedicated IP..and $49.00 per cert in order to have the dedicated IP..and IPv6 was ( and still is ) out of the question from them..Very big well known hosts both of them..

Basic certs have been used as a racket for far too long, and "wildcard certs" and certs that can be used on shared hosting are also used as a license to print money by some hosts and cert authorities..

The result has been far too many unsecured connections due to unjustifiable price gouging..
7:18 pm on Nov 24, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member redbar is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:3332
votes: 548


I've just sent this link to my host, his response will be interesting since i know he was working on "something".
9:51 pm on Nov 24, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts: 5072
votes: 12


Misguided efforts.

What does this really accomplish? How much hacking is going on due to unencrypted connections? None that I've ever heard of. Hackers aren't generally listening in on live communications. They hack websites via unsecure code and steal data. That's a big problem. Encrypting communciations is a small to miniscule problem.

If they want free encryption, then all the browsers need to do is quit checking for authorized cert providers. Pretty much anyone can already generate their own free certificates (any linux server can do this) - free isn't the problem. the certificate generator not being recognized by browsers is the problem.
9:56 pm on Nov 24, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts: 5072
votes: 12


And further, don't confuse encrypted (SSL cert) with secure. With SSL, the connection between point A and point B is secure, but if the machine on either end is hacked, then SSL makes absolutely no difference at all.
10:05 pm on Nov 24, 2014 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


How much hacking is going on due to unencrypted connections?

Who mentioned hacking ?..no-one..until you did..

It is about secure ( from snooping )private communications..and trust..and preventing ( as much as one can ) "site spoofing"..

The only "losers" if this goes ahead..are those who are gouging, selling basic SSL certs..

And further, don't confuse encrypted (SSL cert) with secure. With SSL, the connection between point A and point B is secure, but if the machine on either end is hacked, then SSL makes absolutely no difference at all.

That is like saying you shouldn't wear seat belts or use airbags because you might get T-Boned deliberately at any moment while driving your car..
9:06 pm on Nov 25, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts: 5072
votes: 12


That is like saying you shouldn't wear seat belts or use airbags because you might get T-Boned deliberately at any moment while driving your car..

Uh, no it's not. Nobody is hacking data during transmission. Or so few that it's effectively 'nobody'.

Who mentioned hacking ?..no-one..until you did..

The OP mentions 'secure' protocols. If its not secure from hacking, then what? Snooping? Again, nobody's snooping this traffic other than gov't agencies.

If everyone used HTTPS, it would do exactly nothing in terms of practical security measures for consumers. Nothing. SSL certs protect an area that's not an issue to start with.

The only "losers" if this goes ahead..are those who are gouging, selling basic SSL certs..

The problem isn't those selling certs. You know you can already create your own certs for free, right? And those certs are every bit as encrypted as the paid ones. So why don't you use those?

And the answer is...because the orgs creating the browsers have an approved list of certificate signing authorities. If you're not on that list, then browsers will error message your certificates. That's why you can't have free certs - because the browsers will scream at your visitors if you do so.

So if this consortium wanted to actually 'encrypt the web', all they have to do is remove the list of signing authorities from their browsers, and accept anyone's certificates - that we could now easily generate for free.

And in fact, I do use self-signed certificates in my business - for internal use. The browsers complain, and we override the complaint. No security issues at all.

So why are they not doing that? I don't know, and don't care - but it's interesting when you look at the members of this consortium looking to 'encrypt' the web...while it seems also still controlling certificate signing.
9:29 pm on Nov 25, 2014 (gmt 0)

Preferred Member

5+ Year Member Top Contributors Of The Month

joined:May 24, 2012
posts:648
votes: 2


How much hacking is going on due to unencrypted connections?

I don't know that anyone has quantified how often it happens, but there are people specifically skimming public wifi (coffee shops, airports, etc) with bad intent.

I agree that it's not the main problem, but it is a problem.

it's interesting when you look at the members of this consortium looking to 'encrypt' the web.

I suspect Akamai and CISCO understand that it will drive more network use, and thus sales. HTTPS "everywhere" would invalidate a ton of end-user shared caches that corporations and even some ISP's (search for "Google Global Cache") leverage.

I'm more curious about Google's motivation for moving the entire web to HTTPS. My best guess is that that it's related to the "Google Global Cache", where Google certs+content are served locally. That means the move doesn't affect them much in terms of response times, costs, etc. But, it may hurt their competitors, since they don't have a similar solution. Or maybe they are still pissed about the NSA successfully doing a MITM attack on their datacenter.
9:52 pm on Nov 25, 2014 (gmt 0)

Preferred Member

5+ Year Member Top Contributors Of The Month

joined:June 26, 2013
posts:454
votes: 69


Affordable SSL certs should have been a goal prior to encrypting the web if that's really what they want to do. But if user safety and privacy is a major concern, why can't we just have an on/off switch to easily kill Google's many data logging products and services? Everywhere I go I see all kinds of Google API calls, which in my opinion is more of a threat to my privacy than seeing what the weather will be like tomorrow on a https website.
10:30 pm on Nov 25, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member editorialguy is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 28, 2013
posts:3476
votes: 781


But if user safety and privacy is a major concern, why can't we just have an on/off switch to easily kill Google's many data logging products and services?


I think that's probably beyond the purview of EFF, Mozilla, Cisco, and Akamai. :-)
5:17 am on Nov 26, 2014 (gmt 0)

Preferred Member

5+ Year Member Top Contributors Of The Month

joined:May 24, 2012
posts:648
votes: 2


I think that's probably beyond the purview of EFF...


[eff.org...]
7:58 am on Nov 27, 2014 (gmt 0)

New User

5+ Year Member

joined:Jan 20, 2011
posts:22
votes: 0


Price of SSL certs is not the problem. Problem is 1, price of a new IP. 2, Cost of changing ip on a server and moving website from http to https. These are not simple one click stuff.

Smaller sites will never move to https in the current environment is my prediction. And btw, it's all about the US mass surveillance.
11:31 pm on Nov 28, 2014 (gmt 0)

Preferred Member from AU 

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:470
votes: 20


SSL cert ownership is vetted and owners scrutinised, resulting in certificated authenticity.

Giving away free certs undermines all of that!
12:52 pm on Nov 29, 2014 (gmt 0)

Preferred Member

5+ Year Member Top Contributors Of The Month

joined:Sept 12, 2014
posts:384
votes: 68


This is like telling the public to use a paper shredder to protect their identity. It makes them feel good while the big guys do, take, spy on whatever they want. I guess a false sense of security is better than none.
7:11 pm on Jan 6, 2015 (gmt 0)

Full Member

10+ Year Member

joined:July 23, 2003
posts: 228
votes: 0


Nobody is hacking data during transmission. Or so few that it's effectively 'nobody'.

Comcast is using javascript to inject cute little ads into pages served by their mobile hotspots. Interstitial ads on everyone's content from all ISP's can't be far behind.
9:06 am on Jan 7, 2015 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


The big problem with SSL certificates is that you can't use them on hosting with shared IPs. I.e. small sites on shared hosting or sites using the cloud won't be able to switch to SSL, even if the certificates are given away for free.

It is not a flaw in the certificates themselves, but a design flaw in the SSL protocol which first negotiates about the certificate, and only after the encrypted connection is established sends the HTTP request headers with the domain name. If the first contact would have been unencrypted and the Host header was sent to the server over that unencrypted connection, the server would have had the possibility to select the correct certificate for the request, even on a shared IP address. FTP and SMTP encryption use this route where encryption can be switched on during the communication process on the fly.

The only option to have one IP with multiple HTTPS domains on one IP is using a wildcard certificate. I use a *.example.com wildcard on one of my domains and it switches in the <VirtualHost> section between the sites with a RewriteMap. Installing a *.com certificate would make it possible to have all .com sites with SSL on a server on one IP address, but certification authorities are certainly not willing to issue such a certificate to us and self-signing a *.com certificate will give error messages in all browsers.
9:49 am on Jan 7, 2015 (gmt 0)

Full Member

5+ Year Member

joined:Aug 16, 2010
posts:257
votes: 23


You can use SNI [en.wikipedia.org ] to bypass the shared IP problem. All modern browsers can handle SNI. The major problem is IE on Windows XP.