1

(In this question I ask about Let's Encrypt because it's a hot topic, but the same question could also be asked for CloudFlare's Universal SSL solution or other automated CAs)

I like that Let's Encrypt has made it very easy for everyone to secure their servers with HTTPS and it Just Works™. On the other hand, I dislike that the only thing that's required for Let's Encrypt is a DNS entry or a file on a webserver.

What I'd like is for Firefox to show me that I'm on a site that's secured with Let's Encrypt. It should still validate certificates signed by the CA, because it is a bona fide CA, but I'd like it to show a warning sign in the address bar anyway. The reason I want this, is that I feel a site with a Let's Encrypt certificate is only moderately trustworthy, and I'd think twice before entering personal information on such a site.

So far I haven't found a setting in Firefox for selecting trust for a CA, other than distrusting it entirely, which is not what I want to do.

Answers suggest only trusting EV-certificates and not DV-certificates. This is already a distinction I use; I won't enter payment information on a site with a DV-certificate. My purpose of this question is to have a more fine-grained distrinction between DV-CA's. Not every DV-CA has the same validation procedure, and I trust some validation procedures more than others.

jornane
  • 415
  • 2
  • 14
  • 6
    If you don't consider automated CAs as trustworthy as others, you'd probably be better sticking to only Extended Validation (EV) certificate holding sites - both Domain Validated and Organisational Validated checks can be automated, and in the case of Domain Validation at least, are automated by the vast majority of CAs. EV certificates require further checks, including evidence of the company having some kind of legal existence (e.g. paying taxes, registered in some way, etc.) which tend to require a higher level of human interaction. – Matthew Dec 08 '16 at 15:25
  • 1
    "Not every DV-CA has the same validation procedure, and I trust some validation procedures more than others." What procedures do you trust then? You've already ruled out "DNS entry or a file on a webserver". That probably accounts for something like half of all Domain validated certificates in existence. The only other common method used in domain validated certs is sending an unencrypted email to `admin@thedomainrequestingacertificate.com` with a verification code. Would you deem that method more acceptable? – Ajedi32 Dec 08 '16 at 16:18
  • 1
    See also: https://security.stackexchange.com/questions/87443/what-makes-lets-encrypt-secure?rq=1 – Ajedi32 Dec 08 '16 at 16:37
  • 1
    I don't see how my exact personal preferences matter in a question on how you can set CA trust in a web browser, but if it's important to get the question answered I will comply: HTTP/SNI validation I trust marginally, e-mail I trust a bit better, DNS I trust most, especially when DNSSEC is involved. When a CA offers multiple, I'll assume the certificate was obtained using the least secure method available. – jornane Dec 08 '16 at 16:48
  • 2
    It sounds like you are asking for some kind of finely graded trust system, which I don't think exists. It might not be that hard to code into firefox a filter for a particular CA. –  Dec 08 '16 at 17:42
  • @notstoreboughtdirt: Thanks, that was what I was looking for. I thought I just was overlooking some feature in Firefox. – jornane Dec 08 '16 at 18:40

1 Answers1

8

As Matthew says, the difference isn't between Let's Encrypt and other CAs, it is between Domain Validated (DV) and Extended Validation (EV) certificates. That's what you want to distinguish, since the vast majority of CAs do automated DNS or file existence checks for Domain Validated certificates, while Extended Validation certificates require much more paperwork and manual intervention.

Fortunately, browsers already identify EV certificates - often by putting the domain in green - check your browser docs.

There's no significant difference in Domain Validation techniques between Let's Encrypt and, say, Comodo CA certificates sold through NameCheap (example only).

Good luck, though, in sticking with only EV certificates - the vast majority of sites out there have DV certs.

crovers
  • 6,311
  • 1
  • 19
  • 29