did anyone saw this huge (according to their sponsors) project :-
is it a good idea to be available in combination with whonix - tor anonymity ? or HTTPS everywhere is enough?
also is there anyone who tried it or get involved with it or any useful infos about it?
Following up on ⚓ T80 direct SSL certificate pinning for check.torproject.org and torproject.org (curl method).
(Posted too quickly.)
How does letsencrypt solve THE problem?* Getting their CA root certificate into common browsers and operating systems?
How does one start using letsencrypt as a normal user? With a normal browser? Any documentation on that? (Not from perspective of a server host.)
(*The problem that cacert failed at.)
Good day,
THE problem is at first bypassed by them having all certificates cross signed by IdenTrust (which are already included in every browser) until their root certificates get accepted. This should be no problem, as Mozilla is supporting them directly ( also financially) and they got a lot of publicity because the people behind the ISRG, who are in turn behind Let’s encrypt, are all well known in the industry and for example higher ups at Mozilla. Also, the EFF is behind it, which again helpes to push it.
So, using it as a normal user is no problem, as the certificates get accepted automatically.
They actually have a discussion on this running, see: https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394
So, this seems like it maybe something which could come in handy. I’ll maybe try it, if I have some time…
Have a nice day,
Ego
On the main page they list a bunch of organizations behind the effort so I think it will gain traction.
They are in the process of getting their root CA into all major browsers to solve the problem that killed CACert.
! In T80#7497, @HulaHoop wrote:
This may not be needed if TPO switches to Let’s Encrypt for its own sites. It would be as simple as trusting their CA without worrying about expired certs or MITM.
If TPO used a self hosted CA as you suggest, then this CA would not be accepted by mainstream browsers. That’s why they probably won’t go that route. They would still require CA accepted by mainstream browsers. I find it quite unlikely, that they maintain two means of ssl verification at the same time. (usual and letsencrypt)
If TPO (The Tor Project) used official letsencrypt CA, then this would be a nice improvement, we could then pin letsencrypt CA only, but this would still not implement the stronger scope of the ticket “direct SSL certificate pinning”.
Or am I misunderstanding something? If TPO used it’s own CA, would then their CA be accepted by letsencrypt CA for torproject.org? In that case, it would indeed make sense to pin to TPO’s self hosted CA only.
If TPO (The Tor Project) used official letsencrypt CA, then this would
be a nice improvement, we could then pin letsencrypt CA only, but this
would still not implement the stronger scope of the ticket “direct SSL
certificate pinning”.
Yes I see what you mean. I wanted to discuss what they plan to do but OFTC is blocking connections again.
Let’s Encrypt is still vulnerable to NSLs but I want to understand how. They publish canaries but I want to understand if forcing them to serve compromised certs only applies against users of a service or a service provider like a Free Software site can be targeted.