this post was submitted on 16 Dec 2024
364 points (98.7% liked)

Technology

60024 readers
3374 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
364
Let's Encrypt Announces New-Certificate-Every-6-Days Offering (letsencrypt.org)
submitted 5 days ago by [email protected] to c/[email protected]
108 comments fedilink hide all child comments
 

via https://it.slashdot.org/story/24/12/15/0059216/lets-encrypt-announces-new-certificate-every-6-days-offering

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 4 days ago (22 children)

Question, if I can get free valud certs today (there atey sites that give you free ones, I use one for my lemmy site), where's the security?

I mean it's secure against man in the middle, but if my site is hacked, no proof is going to prevent the hackers to distribute whatever they want.

[–] [email protected] 5 points 4 days ago (14 children)

Certificates are to protect against MitM attacks, not prevent your site from getting hacked. You need to secure everything, this is one aspect of it

[–] [email protected] 1 points 4 days ago (13 children)

So why can't I make my own cert? Give the caller my public key and on we go.

[–] towerful 5 points 4 days ago

You can distribute your public key, and have people manually add it to their trust stores.
But OSs and browsers ship with preloaded trusted certificates. This way, the owner of a preloaded trusted certificate can issue new certificates that are automatically trusted by people's OSs and browsers.
To become a preloaded trusted certificate owner, I imagine that there are stringent audits and security requirements. Part of that will be verifying the identity of the requester before issuing them a certificate.

With LetsEncrypt, they either need to talk to a server hosted at the domain to retrieve a token (generated when the request is initiated).
This proves the requester owns/controls the domain and the server (the requester has correctly set up DNS records, and placed the required token on the server). This is HTTP challenge mode.
The other method is by a DNS challenge. The requester adds a TXT record to their nameservers with the token value, letsencrypt then inspects the DNS records for the domain and will issue a cert when it sees the token. This proves the requester owns/controls the domain.

So, proving identity is required (otherwise anyone could generate a trusted cert for any domain). And trusted certificate issuers are required, so people don't have to constantly import (possibly dodgy) public keys

load more comments (12 replies)
load more comments (12 replies)
load more comments (19 replies)