THE problem is at first bypassed by them having all certificates cross signed by IdenTrust (which are already included in every browser) until their root certificates get accepted. This should be no problem, as Mozilla is supporting them directly ( also financially) and they got a lot of publicity because the people behind the ISRG, who are in turn behind Let’s encrypt, are all well known in the industry and for example higher ups at Mozilla. Also, the EFF is behind it, which again helpes to push it.
So, using it as a normal user is no problem, as the certificates get accepted automatically.
! In T80#7497, @HulaHoop wrote:
This may not be needed if TPO switches to Let’s Encrypt for its own sites. It would be as simple as trusting their CA without worrying about expired certs or MITM.
If TPO used a self hosted CA as you suggest, then this CA would not be accepted by mainstream browsers. That’s why they probably won’t go that route. They would still require CA accepted by mainstream browsers. I find it quite unlikely, that they maintain two means of ssl verification at the same time. (usual and letsencrypt)
If TPO (The Tor Project) used official letsencrypt CA, then this would be a nice improvement, we could then pin letsencrypt CA only, but this would still not implement the stronger scope of the ticket “direct SSL certificate pinning”.
Or am I misunderstanding something? If TPO used it’s own CA, would then their CA be accepted by letsencrypt CA for torproject.org? In that case, it would indeed make sense to pin to TPO’s self hosted CA only.
If TPO (The Tor Project) used official letsencrypt CA, then this would
be a nice improvement, we could then pin letsencrypt CA only, but this
would still not implement the stronger scope of the ticket “direct SSL
certificate pinning”.
Yes I see what you mean. I wanted to discuss what they plan to do but OFTC is blocking connections again.
Let’s Encrypt is still vulnerable to NSLs but I want to understand how. They publish canaries but I want to understand if forcing them to serve compromised certs only applies against users of a service or a service provider like a Free Software site can be targeted.