<p dir="ltr">I spent 15 minutes recently migrating away from traditional CA infrastructure to LetsEncrypt. It is nearly fully automated and incredibly easy that there really is no excuse not to use it on every site on the internet. I also configured HPKP and HTTP/2, which will utilize encryption by default, due to browser convention.</p>
<p dir="ltr">Yes, ACME makes a lot of that possible and everyone really should be using LE. +9000 to my bud Yan Zhu for her and the rest of ISRG / EFF team's effort making this a reality. I would recommend that if you use LE, then at least donate the cost of one CA cert to them annually so the project continues to improve and be rewarded for killing the old antiquated CA deployment model.</p>
<p dir="ltr"><a href="https://letsencrypt.org/donate/">https://letsencrypt.org/donate/</a></p>
<p dir="ltr">Plaintext HTTP should now be considered harmful and deprecated. And if you don't believe me, well, then maybe you listen to gov which also agrees everything should be HTTPS...</p>
<p dir="ltr"><a href="https://https.cio.gov/everything/">https://https.cio.gov/everything/</a></p>
<div class="gmail_quote">On Dec 6, 2015 4:58 PM, "Moses Hernandez" <<a href="mailto:moses@moses.io">moses@moses.io</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Actually there is a much more interesting thing happening with LetsEncrypt that I think is lost on many people. The ACME protocol behind it, from my understanding and from what is listed here (<a href="https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md" target="_blank">https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md</a>) will allow us to programmatically interact with the CA (register, request, renew) our certificates at will. In theory, you could ask for a new public/private key pair every day, which would be an interesting twist to someone taking keys as an example. I believe you would still want to enable PFS but it is considerable that requesting new key pairs adhoc would change the threat model. It would also bring down the cost of other interesting, yet expensive items like HPKP (HTTP Public Key Pinning) which would in a best practice case require 2 keys. <div><br></div><div>There is also work on certain newer ('hipster?') webservers like Caddy to be able to natively use ACME and letsencrypt. (<a href="https://caddyserver.com/" target="_blank">https://caddyserver.com/</a>) Of course, no guarantee in the bug free or security of either systems that I'm mentioning but it is moving the conversation forward.</div><div><br></div><div>-m</div><div>@mosesrenegade</div><div><a href="mailto:moses@moses.io" target="_blank">moses@moses.io</a></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Sun, Dec 6, 2015 at 3:11 PM Kristian Erik Hermansen <<a href="mailto:kristian.hermansen@gmail.com" target="_blank">kristian.hermansen@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">It now means that the entire web can move to HTTPS by default and there are no excuses for not having an HTTPS certificate any longer. Eg. When you type <a href="http://www.whateversite.com" target="_blank">www.whateversite.com</a> into your browser, by default, an HTTPS connection can be made instead. Unencrypted HTTP can die now. The issue of backdoors in Certificate Authorities still exists though, because nation state laws permit gov to obtain CA private keys and perform intermediation. Therefore, we also need to ensure public key pinning and validation of per-site certificates in order to identify rogue site certificates being generated that were not issued by the site itself. Stay safe! :)</p>
<div class="gmail_quote">On Dec 4, 2015 8:40 AM, "Charisse Castagnoli" <<a href="mailto:charisse@charissec.com" target="_blank">charisse@charissec.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Because there are many smart people on this list, I ask how would you evaluate this just released tool:<br>
<br>
<a href="https://letsencrypt.org/" rel="noreferrer" target="_blank">https://letsencrypt.org/</a><br>
<br>
I'm too old to read source code and cert/key gen is specialized knowledge in any case.<br>
<br>
Comments?<br>
<br>
charisse<br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>
</blockquote></div>