When more and more webservers installs the letsencrypt client to have free letsencrypt certs, I was just thinking.
Are the letsencrypt client(s) audited? Can they have malicious code in them?
Asked
Active
Viewed 279 times
0
-
1"Audited" is very vague. You can expect that security professionals have had a look at the source. Are you looking for an "official" report? For example, you can trust EFF's Certbot client in the sense that it's published by a reputable organization. Beyond that, I think asking "Are Let's Encrypt clients secure?" is really broad. – Arminius Mar 23 '18 at 19:15
-
I have noticed as well that due to the free nature of Let's Encrypt we are seeing an influx of people that probably should need auditing, as stated though all Let's Encrypt will do domain control checking however no audits (on the server? company?) are done. – Mar 24 '18 at 12:40
2 Answers
3
Let's encrypt publishes an API. Anyone can write a client for that API, including one with malware. You don't have to ask permission, you can sit down and make it without asking any one.
The reccomended client, certbot, can be assumed to be reasonably vetted, and while not guaranteed to be bug free, there's very very low likelihood of intentional malware in it.
The reason it can be trusted is that it's a rather popular piece of software, with contributions from many persons, and an equal amount of persons peering at the software, and in addition EFF have a good reputation.
vidarlo
- 12,850
- 2
- 35
- 47
-
"can be assumed to be reasonably vetted" - Could you expand on the basis for this assumption (eg "because the EFF is trustworthy", "because so many people use it", etc)? It would be nice to have something a little more concrete. – AndrolGenhald Mar 23 '18 at 19:15
-
Sure. If you want to add more, feel free to [edit] yourself as well :) – vidarlo Mar 23 '18 at 19:17
-1
EDIT: I misread the original question, thinking it was talking about clients as people who use letsencrypt instead of clients as programs that retrieve letsencrypt certificates automatically.
I'll leave this here in case a future reader is similarly confused.
Original Answer:
Just because a website has https, does not guarantee their website is safe or secure.
In the case of letsencrypt, they only verify the client's ability to control the domain. (Either through http or through DNS records)
Essentially, you can think of https as only ensuring you get the person you were looking for, and ensuring that communication between you and them is encrypted.
https does nothing to protect you from maliciousness on that person's part.
As an aside, sometimes you'll see Extended Validation certificates. (The green bar ones) These are verified more, but still not to the audit stage. Only to verify that there is a legitimate company behind the URL. letsencrypt does not offer the EV service.
Andrew Hendrix
- 84
- 6
-
1This does not answer the question. OP is asking about software installed on a webserver to automatically install letsencrypt certs. – AndrolGenhald Mar 23 '18 at 19:10
-
-
1Oops! I guess I misread the question. Oh well, it still might be helpful to someone who stumbles across this. – Andrew Hendrix Mar 23 '18 at 19:18
-