Is There Any Reason to Not Use Let's Encrypt, and Other Thoughts
Вставка
- Опубліковано 2 жов 2024
- Let's Encrypt ushered in a high tech and free way to get and apply security certificates for all of your sites.
Hope you enjoyed the video!
Join my Discord server to chat with me:
/ discord
Check out some code on my GitHub:
github.com/rea...
github.com/eng...
Come visit us on Reddit:
/ engineerman
Other Social:
gab.com/engine...
/ _engineerman
/ engineermanyt
Another relevant concept explained perfectly. Thanks EM.
Let's encrypt is nice, but I kind of like that for example my bank makes use of extended validation.
Edit: to explain: I not just know someone owns the domain and I see the stuff this individual wants me to see, I also know it is, very likely, my bank, because of the further validation.
Exactly. This is part of that third reason EM mentioned. I also like to see the EV on anyplace I put my money or CC info. Other than that I love LetsEncrypt.
Even firebase hosting is providing free SSL via letsencrypt
That google stat is not that surprising. Since July 2018 Non-HTTPS sites have been labeled as “Not Secure” in the Chrome browser. Good motivation for those sites to use HTTPS.
Yup, Google has far too much power which it can wield for good or evil (usually in its own favor, which since 2015, tends to be for evil). They single-handedly killed Flash.
Adobe killed flash. Google just complies with the end of life policy they announced half a decade ago. Apple was the first nail in the coffin when they refused to allow flash on iPhones. Then and only then did android follow suit.
A point you failed to bring up is that because let's encrypt is free and anonymous it is used by many groups in a nefarious manner. Which means their keys are under suspicion by most security tools and/or security professionals. Even the companies that are listed as "Sponsors/Contributors" have tools that flag Let's Encrypt certificates for further review. So while Let's Encrypt may be useful for a small startup or company at a certain point a legitimate company will have to move past it.
That's what the CAA DNS record is for. If it states that LE is to be trusted, you can trust it. If is empty, check for legitimation.
When I got round to getting a security certificate for my sites (now just one) Lets Encrypt was a godsend.
There is also the cPanel one AutoSSL which comes with cPanel when you install it and you can activate it on any domain from whm
Even if you have a dog grooming website with no sensitive information, it's still nice to do this for your visitor privacy. Also, their browser may block your site.
Just a thing that worth be mentioned about sites that doesn’t really need to be secure: I agree, but, there are a lot of companies that block unsafe websites trough web filters meaning we cannot access, for example, a supplier website to check on their products. Anyway, awesome video, as aways!
Sounds like the company policy is flawed then.
Using an agent that has access to some third party provider is the drawback I see.
Has access to a third party? That's literally any agent with internet connectivity. Do you mean "an agent that gives a third party access to your system?"
@@overand Most servers in a company need no direct internet connection. Not to mention that one more agent also means one more thing to install, patch, upgrade and a new attack vector.
No need to have acme.sh/certbot directly on the server, you could just have a separate VM that does the requests to generate the certs and then use your own internal processes (scp, ansible, etc) to then place the certs where they are needed
@@niktek7020 ohhh i like that, thank you! From that 'satellite' it should be easy to upload the certs to something like vault and then retrieve those certs...in k8s by using cert manager and vault crd. Good! I may end up liking let's encrypt 🙃
I got in to a discussion with a co-worker. He insists Let's Encrypt is not suitable outside of home-use. He just kept saying "it's not secure. it's not secure" with no valid reasoning on WHY it's not secure. Their keys have never been exposed, nor have I heard of any exploits with their APIs that allow issuance to a domain that's not been verified, so the chance of their root cert and signing ability getting revoked by any major CAs is low. Plus I don't think any major CA now a days would have the guts to pull them even if something major happened. It would take down a good chunk of the web.
Let's Encrypt fails disastrously, F- for trust & F- for accountability. Sure, "technically" traffic is encrypted no differently that with other public trusts, but who cares if my CC information is encrypted to a bad guy or not in the first place (only the bad guy gets it?? Win?)? Never trust any personal/CC information to a site using a Let's Encrypt certificate unless you have assurance that the website is indeed reputable.
Could you do a video going over how to use Let's encrypt on a simple web server?
sudo apt install certbot
sudo certbot --nginx
Follow on screen instructions
Or something similar for Debian based OS running Nginx.
Secure but still not safe
I think another advantage of other services is subdomain certificates. If I understand correctly, LE requires you to set each and every subdomain you want to include separately.
Other CAs allow all subdomains in one go, right?
Let's Encrypt supports wildcard certificates now. Before that, you had to specify up to 100 subdomains which was the best option before they supported wildcards.
@@EngineerMan oh, time to change to wildcards then! Ty
DNS level domain validation allows for wildcards 👍
Alert(1)
thank you for this information - i had no idea this even excited!
I've been using Let's Encrypt for many years now, I even tried my best to get my company to use it, with no avail. some companies just want to see their money burn 😁
not watched it yet but there is. Cloudflare
My first thought as well. Still issuing a cert on the origin server via let’s encrypt is worthwhile or using Cloudflare’s origin certs.
@@nuklearwinter2892 Well if you cannot use a origin cert sure that's a good option but you don't have to install certbot due to the certs lasting up to 15 years.
Just found your channel pretty good stuff! A couple other things that come to mind, code signing certificates are unavailable, rate limits can be an issue if your an enterprise, certain internal management process /standards may require extended validation, and no single portal to manage all enterprise certificates.
explained perfectly . thank you
I always wanted to thank those guys for there work
I always wanted to thank those guys for there work
I use Let's Encrypt whenever possible but there are some cases where it's not possible. Mostly for all sort of vendor appliances on their user-facing GUIs, virtual or physical, such as firewalls and the like. While it is possible to install the Let's Encrypt certificate (generated somewhere else), the whole renewal automation part will either not work at all or will involve some excessive amount of hacking. Maybe this will change in the future, who knows.
That is awesome! why didn't I know about this prior to this video?? haha you should do a video on signal, general encryption, and how to generally improve security, like on a rooted android, or to lock down linux, server, etc. Love your channel and your videos! You are the man!
Probably the only situation where you wouldn't use LE is for an openvpn setup as that would allow anyone else with an LE generated cert to be trusted by your VPN (same root cert)
I have absolutely no idea how I got here but I decided to watch the entire video. I imagine this is some great content (if I had any idea what you were talking about)!
Thank you for explanation!
4:20 The certificate wouldn't even work if it were different than what you can buy elsewhere.
Certbot makes it so easy, everyone should do it.
Love your videos man! No intros, straight to the point
Maybe the 3 percent are websites whose certificate just expired and needs a new one? or developers on localhost 😯
I've been saying since the late 2000's, encryption is so computationally inexpensive that you should be encrypting everything by default. If something isn't encrypted, it should have a very good reason that it isn't (spoiler: I've yet to hear a good reason to not encrypt something).
This is, of course, coming from the corporate world, where I worked for many companies who only wanted to do the bare minimum necessary to squeak by compliance. It's never about actual security, it's always about profit margins. Oh the horror stories I could share.
HTTP is for compatibility with very old browsers.
@@5014eric Yup. Still waiting on a good reason to not encrypt.
Privacy reasons. Look on TechRights for a more detailed explanation
Always some excellent content by EM!
I didn't know it's free.
Great simple and explanation.
Thank you sir.
Yes I was denied access to lowes hardware about a garage door install inquiry. Am I just special or just stupid for thinking my phone is hacked to hell by jackboots
There is absolutely no reason you're not running SSL certs in this day and age.
I wonder if Let's Encrypt software brings backdoors into our servers
it's not entirely impossible
Certbot is on GitHub. Build it yourself if need be
On occasion the entire https side of my internet goes down. Until my ISP fixes their DNS I'm stuck using http only. Some websites prevent this. I'll never force https-only on my entire site. (except all login pages are https of course)
Just so you're aware, session cookies are just as useful as passwords. If I catch someone's session id in clear text I can easily hijack their session.
Re the 3% that do not use https: maybe they just have a landing page with some info. If so, I don’t think you gave any reasons for this kind of pages to have a need for encryption.
Even then, the better website performance that HTTPS bring thanks to HTTP/2 makes it a better default option even if you don't need it
Wouldn't it be then possible to get certificates for fake sites that mimic real sites, making it harder for people to see that they're on a fake site?
All a certificate says is "you are connected securely to the URL in the bar" It's not designed to say anything about the site itself, unless you get one that, as mentioned in the video, actually checks into that sort of thing.
@@oliverlonsdale1492 Exactly. The only valid argument against free certificates is that they don't do background-checks, but even then, there are (or at least have been) free certificates that used a "web of trust" model such as for example, finding a local notary and providing ID to have them sign off on you and your site then providing a free certificate.
Scam sites can still acquire paid certs, that's not specific to Let's Encrypt.
@@user-vn7ce5ig1z I didn't mean it as an argument against Let's Encrypt. I was genuinely asking a question.
Yes, it is a problem of domain validation for certs, it only verifies that you own the domain (and maybe some automated checks against typosquatting so you can't get a cert for "faceebook[.]com"). Let's encrypt does make this easier just like it makes it easier to get a cert for your non fake site. I would like to see extended validation get more traction and quality control because that is the level of protection I think most people expect for banks and other sensitive sites.
Great video, appreciate the info! I wasn't sure before!
Let’s Encrypt is difficult to use with multiple sub-domains ie web, webmail, mail, mail list, control panel, etc so I am using Comodo who makes it super easy albeit at a cost.
That used to be the case but you'll be happy to know Let's Encrypt supports wildcard certs now.
Congratulations for 369k subs
Congressman Speech
My hosting company provides security certs for all my sites at no charge, but this is a super option otherwise. I love hearing potentially complicated subjects explained clearly. Thanks.
This is good information. Glad I clicked on this video. Ashamed to admit I was unaware of the existence of Let’s Encrypt.
On a separate note, the system at UA-cam thought it would make sense to append a 54 minute advertisement onto the end of your 6 minute video. What’s even worse is that there’s apparently an advertising company out there spending money to create a 54 minute ad and then paying UA-cam to run it, hoping for a good ROI.
Did they really? Wow. UA-cam doesn't let me customize ads for videos under 8 minutes, which is many of my videos. So I guess people get what they get.
Hey Man, I need your help building GIMP on Windows. I'm trying to understand to how to do it but it is very challenging, especially for guys like me who know very few about the basics of computer. If you could make a video dedicated on how to build GIMP only on Windows, I'll be grateful
Let's Encrypt has (had?) some drawbacks: Unable to provide certificate for IPv6 only site. Provide wild char certificate for all sub domains in single cert. Validating cert requests from only one location. Maybe others. That was true few years ago, not sure how it is now.
wildcards are supported community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
I don't quite understand something about Let's Encrypt certificates, I can't remember where I read about it, but I saw that these certificates are not valid if you want to for example build an online store, is this in fact true or not? Kinda curious about that
That's not true. They are valid and usable for any web project.
Unfortunately, HTTPS isn't always feasible, and in some cases, not even possible. There are some third-party web-interface programs like RaspberryPiMonitor that simply don't support it (yet?) I've made a couple of Arduino/ESP based devices that I created web interfaces for, but I haven't been able to find any practical way to implement HTTPS for them (yet). I suspect IoT devices will be the ones to lag the most, at least commercial, discontinued devices; development libraries will catch up soon.
What makes HTTPS always feasible is because the device itself doesn't need to support TLS. The device can sit behind something like NGINX which will terminate TLS for it.
@@EngineerMan that's right, I have all my embedded IoT devices behind a beagle bone black board I'm using as my IoT server running Linux and it has let's encrypt certs in it. So the embedded devices don't need TLS at all.
It would actually be pretty clunky for embedded devices to support TLS anyway as it's more places to install a cert and more software to keep current. Even modern network connected software that fully supports TLS still won't (e.g. Node.js, Python, etc.). It'll just sit behind some web server and have the requests proxied through to it.
In my opinion, the TLS security model is fundamentally broken, because it doesn't really prevent/fix MITM attacks. It only restricts who can perform them successfully to the certificate authorities. They can still intercept TLS-encrypted traffic, unless the certificate is self-signed (which browsers complain *a lot* about) or the user checks the certificate fingerprint.
Depends who controls the root store. Employers leverage what is effectively an MITM attack by placing a proxy server between company computers and the internet and using their own cert and installing that root cert to company computers. This results in "secure" sites appearing normal but upon inspection one will discover the cert in use is not the one from the site but the one from the employer. As you pointed out though, self signs without the cert in the user's root store are pretty easy to spot (red warnings, etc.). I wouldn't go as far as to describe TLS as broken though because of this.
@@EngineerMan Whatever the trusted root certificates are, whoever controls just one can intercept all TLS-encrypted traffic coming from the machine (unless pinning is used).
That means that when a user receives an HTTPS link, they need to trust that the person who sent the link gave the correct link (e.g. that person could have said Wikipedia is at wikipedia.me) *and* they need to trust that no single root certificate installed on their machine will be used for malicious purposes.
This could be avoided by just putting the certificate fingerprint on the URI (which is similar to what IPNS does). That way, the user would only need to trust the person who sent the link.
Indeed, stop paying for stuff.
I have my own home server made out of an old laptop computer running on https with let's encrypt certs. Even the domain name is free. You can get those on a free dns service provider.
Which free DNS service provider do you use?
@@Belioyt I use dynu.com
@@m4l490n thank you.
I used to use let's encrypt, but I switched to cloudflare. You get the certificate and built in ddos protection among a lot of other features.
That only encrypts the traffic between visitor to cloudflare, between cloudflare and your webserver is unencrypted. It also allows cloudflare to see data that'd usually be encrypted (think API and customer data). This might not matter for your risk model though, something to think about.
I still host all of my endpoints over HTTPS, as well as the full (strict) end to end option on cloudflare.
Ummm, let me put it out there. Just a few min ago ive seen croatian public tv saying buying stuff on the internet is mostly insecure in 2021.. That's gotta be worse propaganda than those companies saying let's encrypt certs are less secure...
A valid reason to not use LetsEncrypt is that it doesn't legitimize your site. As a real world example, a friend shopped around for a good sale on a new Nintendo Switch. He found one that was $50.00 less than all the large retail stores and bought it. However after several weeks after his money was taken, he hadn't received any updates on shipping except that it was coming from somewhere in China.
After bringing it to my attention, I saw the site "looked" official but after checking the certificate, I saw it was made with LetsEncrypt literally 2 days before he purchased the product. He was officially scammed and eventually received a small box with cheap knick-knacks in it rather than a brand new Switch.
So point of the story, people who are in the market for scamming people will more than likely use LetsEncrypt to make their sites appear real and secure since it doesn't cost anything. If you are a real seller and you want to spin up a website for your store, you will have to try hard to convince people that your website is legitimate and not just a pop up scam using LetsEnvrypt... or you can buy an cert from a cert company just to not have that issue. Also note, if you aren't selling anything or otherwise collection peoples info and your site is more just for relaying information, a blog, a front for your own services that only you will use (like NextCloud!) then LetsEncrypt is a great idea!
There are many ways to determine if a site is a scam and the presence of a Let's Encrypt certificate is not one of them. The red flag here was that the product was priced well below market value, a too good to be true situation, and indeed it was. In fact, if checking a certificate and knowing which are free and which are paid was routine behavior by the average internet user then how did your friend get scammed in the first place?
@@EngineerMan Ah ha, easily.... he's not a IT guy. The only reason I even thought of looking at the cert was due to recent use of creating unsinged certs for some of my projects and looking into LetsEncrypt instead. Still having a hard time figuring out how to get it to work with NGINX, Plex, NextCloud and Pfsense altogether but that's my work to do.
To be honest you are correct about the other red flags and he has now been properly made aware of them, the whole if its too good to be true thing.... That is one less target for scammers!
LetsEncrypt is a pretty cool thing to use (love the fact that it is 100% FREE!! WOOT!) and I can't wait to figure it out, but I guess if you think a merchant site might not be legitimate, finding out it has a LetsEncrypt cert that is less than a week old might just be a sign for caution. At least that's my thought.
BTW, your videos are awesome! Thank you for making then and even taking the time to reply to my comment. I greatly appreciate it.
Ha, no problem. "he's not a IT guy" is kind of my point though, which is the case for 99.9% of the people. So for him, even if they had a cert issued by Verisign, he still would have gotten scammed.
Great videos, Engineer Man. Minor correction. Verisign hasn't sold certificates for ~10 years. The big player is DigiCert now.
So, the entire TLS process relies on PKI; that means you need to be sure that the Root of Trust is actually trusted.
Let's Encrypt does ZERO validation that you own the domain, so as a security consultant, I recommend REMOVING the Let's Encrypt Root Of Trust from the trusted certificates.
This is a security hole as I can spoof a domain and get a Let's Encrypt certificate.
They do domain validation using the same techniques other vendors use (e.g. special file in web root, txt record, etc.). If you've actually found a way to issue a cert for a domain that you do not own then you should report that to the Let's Encrypt team as I'm sure that's something they would like to be made aware of.
Lmao @Rish if it was that easy go ahead and spoof Amazon.com, google.com etc and ask Let’s Encrypt to issue you a cert. good luck with that.