1. 10

  2. 6

    I’ve seen a lot of conflation of TLS with trust lately, and that needs pushback. A TLS connection is not trusted.

    It means that your conversation with whatever server is private from interlocutors, it doesn’t tell you anything about the trustworthiness of the server in question.

    1. 4

      I don’t agree with this specific point. At least with Let’s Encrypt, the certificate on my site proves I have control of it (or at least its DNS records).

      Or do you mean that I personally am not a trustworthy person? Fair, but that’s outside the scope of public TLS certs to cover.

      1. 1

        Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.

        The CA’s Role in Fighting Phishing and Malware

      2. 1

        So often people forget that encryption !== authentication.

      3. 4

        Over-reliance on manual assessments by unqualified auditors and security professionals.

        This is so true on so many levels.

        I remember one day (before way the let’s encrypt time) we were writing a web application for a franchised brand. They had multiple domains for each stores, like (for example) “mcdonalds-nyc.com”, “sf-mcdonalds.com”, “texas-mcdonalds.com”, … This was due to historical reasons. (Using subdomains and a wildcard was not an option) The goal was to remove all these franchisee ran websites, and use one unified web application which would switch its logic based on the Host: header.

        To optimize for cost, we decided to buy two SAN certificates, one with 64 domains, and another with ~36 domains. (Since AFAIR, SANs were limited to 64 domains, and there were ~100 domains total)

        We were struggling to validate ~100 domains, as the UI of the Certificate Authority was clunky. (a lot of point and click was needed to validate one domain.) So I called to ask them if they had an API we could use to automate this process. The technical support person told us they didn’t, so she just went ahead and approved all the domains in her powerful admin interface. I only did ~10 domains manually before giving up and calling them, meaning 90% of the domains were just rubber-stamped with no verification whatsoever. I was shocked. From a customer perspective, since we were paying big bucks for these certificates in this pre-letsencrypt era, this was the best support I’ve ever had, and the lady on the phone was really helpful. But this is a security nightmare on so many levels…