IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [letsencrypt]

An initiative from the Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to automatically provide every domain owner with a recognized certificate that can be used for TLS.

Let's Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

source Wikipedia:

82 questions
6
votes
1 answer

Let's Encrypt certificate lifetime incident: is there any security risk?

A few days ago, Let's Encrypt discovered that they misinterpreted RFC 5280, thus making every certificate they issued valid for one second longer than expected. The associated issue on Mozilla bug tracker definitively looks serious, and some people…
Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
6
votes
1 answer

How does selection between multiple available certificate chains work?

I am trying to understand the practical mechanisms of cross-signing (intermediate) certificates. As an example, I am looking at the Let's Encrypt Chain of Trust. That page mentions: IdenTrust has cross-signed our intermediates. This allows our end …
Reinier Torenbeek
  • 163
  • 7
6
votes
3 answers

Setting up LetsEncrypt SSL for domains/subdomains on two servers

LetsEncrypt certificates have been created for example.com and www.example.com. This is a Linux server on IP 123.123.123.1. I would like to add foo.example.com and bar.example.com, but these subdomains are set to 123.123.123.2 (MS2012 server, IPs…
Fid
  • 161
  • 1
  • 3
6
votes
2 answers

Why does ACME / Let's Encrypt require A records not CNAME?

I'm using ngrok to demonstrate the ACME protocol on IIS/Windows. However, this service prefers CNAMEs over A records. In debugging the interaction it seems that ACME only allows for A records. What is the security rationale for this behavior? …
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
1 answer

Should the Strict-Transport-Security max-age be tied to the duration of the certificate?

I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to HTTP-only for a while. When setting up HSTS, most…
smitelli
  • 2,035
  • 3
  • 15
  • 19
5
votes
4 answers

Let's Encrypt and EV certificates for different hosts in the same domain

I have an e-commerce site host name (example.com) and want to install an Extended Validation TLS certificate for it. But I use a cookieless static content served from another host name (static.example.com) for images of the website. To be "Google…
overer
  • 53
  • 4
5
votes
1 answer

How can LetsEncrypt and other similar services verify ownership of a domain over insecure http?

LetsEncrypt allows you to verify ownership of your domain using the .well-known thing, but since the site is http before the first certificate is issued, couldn't somebody do an MITM attack to give letsencrypt the response it wants without actually…
markasoftware
  • 163
  • 5
5
votes
1 answer

How does LetsEncrypt.org's ACME work?

I found the technical paper on ACME's inner workings, but I still feel a bit confused about the ways Let's Encrypt's Domain Validation works. From what I already know, verification can be performed over either port 80 or 443. Client connects to the…
d33tah
  • 6,524
  • 8
  • 38
  • 60
4
votes
2 answers

Will Let's Encrypt require SNI from the operators?

I'm curious if anyone knows whether the upcoming Let's Encrypt initiative would effectively require SNI. What I mean is, with the proliferation of the cloud, almost every web-site owner, even with the smallest possible web-site, has their own…
cnst
  • 1,884
  • 2
  • 19
  • 30
4
votes
3 answers

Is it a security risk to allow index listing of the .well-known/acme-challenge directory?

To register an SSL certificate via the Let's Encrypt authority, one must serve a special file in /.well-known/acme-challenge/ with specific contents. Apologies if I missed it in the documentation, but it is not clear to me whether this token…
ctrueden
  • 143
  • 5
4
votes
2 answers

Is it the responsibility of a certificate authority to ensure an SSL is not used for nefarious purposes?

I read this in the news recently Let's Encrypt has issued 15,000 SSL certificates to PayPal phishing sites (Security experts call on firm to refuse certificates for domains containing popular brand…
Goose
  • 1,394
  • 1
  • 11
  • 17
3
votes
1 answer

Will Let's Encrypt allow a custom workflow?

The Let’s Encrypt management software will: Automatically prove to the Let’s Encrypt CA that you control the website Obtain a browser-trusted certificate and set it up on your web server Keep track of when your certificate is going to expire, and…
Bart van Heukelom
  • 326
  • 3
  • 9
3
votes
1 answer

Do I need to associate my backend API server with a domain name to get an SSL certificate for it (HTTPS)?

I have developed my DRF back-end API locally, deployed it on an AWS Lightsail instance (with a public static IP) and I now want to secure it with HTTPS. I understand that in order to use Let's Encrypt (and not pay for an SSL certificate), I have to…
kingJulian
  • 177
  • 1
  • 9
3
votes
2 answers

Man-in-the-middle attack (ACME / Let's Encrypt) on Authorization Key?

By looking at https://letsencrypt.org/how-it-works/, I got the feeling that a man-in-the-middle attack might be possible in the 'Domain Validation' phase. During that phase, the admin is asked to e.g. perform the challenge of putting a file on the…
NightRain23
  • 131
  • 2
3
votes
2 answers

What is Multi-Perspective Validation?

The Let's Encrypt upcoming features page lists the following: Multi-Perspective Validation Currently Let’s Encrypt validates from a single network perspective. We are planning to start validating from multiple network perspectives. I haven't…
Gregory Arenius
  • 171
  • 6
1
2
3 4 5 6