'/%3e%3cpath%20d='M50.3943%2022.237V39.5876H43.5185V22.7481C43.5185%2019.2029%2042.0411%2017.3949%2039.036%2017.3949C35.7325%2017.3949%2034.0778%2019.5338%2034.0778%2023.7585V32.9759H27.2434V23.7585C27.2434%2019.5338%2025.5857%2017.3949%2022.2822%2017.3949C19.2949%2017.3949%2017.8027%2019.2029%2017.8027%2022.7481V39.5876H10.9298V22.237C10.9298%2018.6918%2011.835%2015.8754%2013.6453%2013.7877C15.5128%2011.7049%2017.9623%2010.6355%2021.0028%2010.6355C24.522%2010.6355%2027.1813%2011.9885%2028.9542%2014.6917L30.665%2017.5633L32.3788%2014.6917C34.1517%2011.9885%2036.811%2010.6355%2040.3243%2010.6355C43.3619%2010.6355%2045.8114%2011.7049%2047.6847%2013.7877C49.4931%2015.8734%2050.3963%2018.6899%2050.3943%2022.237Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_89_8'%20x1='30.5'%20y1='0'%20x2='30.5'%20y2='65'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236364FF'/%3e%3cstop%20offset='1'%20stop-color='%23563ACC'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
@Some_Emo_Chick@mastodon.socialLet's Encrypt is 10 years old today!
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Huge thanks to everyone involved in making HTTPS available to everyone for free
@Some_Emo_Chick I keenly remember looking at my bills for SSL certs and being so excited for this launch.
Then doing a bad job of automation and failing to renew every 3 months.
@amd @Some_Emo_Chick Yeah, I forgot to do it a couple times. Then I set up the option in gitlab pages and have pretty much forgotten it exists. It's wonderful.
@Some_Emo_Chick Yes, let's thank them. And after ten years, it is time to create alternatives in other countries.
@Some_Emo_Chick let's hope someone does free S/MIME right next.
@Some_Emo_Chick ISRG what an awful name. It sounds like a front for NSA. I still remember the initiative was started by FSF
@Some_Emo_Chick @tongpu Ich bin so dankbar dafür.
@Some_Emo_Chick I do congratulate @letsencrypt even tho @cacert was way earlier there and only got #cickblocked by #GAFAMs like #Aoole & #Microsoft who refused to integrate it and @mozilla who didn't integrate it either.
- The reasons why are the most abdurd given compromized CAs as well as free, non-#KYC-Certs were accepted without warning...
Meanwhile #LetsEncrypt can be setup fully-automatic.
@Some_Emo_Chick They were not the first (anyone remember startssl.com?) but they sure did a great job with the automation.
The web is now safer because of @letsencrypt
@Some_Emo_Chick I'm not sure, but will I use certificates from a so called phishing CA? .... a difficult question ...
Do you refuse use sites that only have a domain validation cert?
@ThatPrilla @Some_Emo_Chick Well, I don't use this CA myself for certain reasons. Why? Well, it mainly has to do with trust.
When I visit websites, I generally always check who issued the TLS certificate and whether the triust of chains is complete. yes, on government websites that use a certificate from this CA, I only retrieve data if necessary, but never enter personal or confidential data.
1/n
@ThatPrilla @Some_Emo_Chick But where I'm definitely out are site providers who, for whatever reason, think they have to break TLS connections using MITM, or use so-called service providers who do this. I don't enter anything there, no user, health, financial or other personal data!
The best, no, the worst example was this association from Munich, which on the one hand promoted free networks but on the other used Cloudflare as MITM.
2/3
@ThatPrilla @Some_Emo_Chick Someone who shows that users are being taken for fools and dragged through the ring with a nose ring has lost my trust! I'm out of there ...
3/3
A domain validation cert from lets encrypt and a domain validation cert from any other CA are functionally indistinguishable and provide the exact same level of assurance, which is only that the cert has been issued to someone who has access to that domain and that your connection to the thing presenting the cert is reasonably private/secure.
So unless you are only putting personal info into sites where you manually look for the OV or EV details to verify, you aren't making your self more secure.
But the other problem is that the extended validation process isn't reliable.
A few years back a researcher got an EV cert for "Stripe Inc" by registering a company with that name at the state level in the US and that was enough for a CA to issue him an extended validation cert. Cost him $177.00 to do that.
But even then, that is massive overkill for phishing now because browsers removed the UI elements that indicated a cert was an EV cert.
The simple fact truth is, as long as someone can complete a domain control challenge, any CA will issue them a cert without any further verification. Payment details aren't even reliable because stolen identities and payment information are everywhere.
If you are relying on a cert alone to protect you from fraud, you aren't really protecting yourself.
@ThatPrilla @Some_Emo_Chick Andrew, believe me I know the technical background to certificates and DNS quite well, as this is one of my main tasks in our company.
Encryption is one thing and there is no fundamental technical difference between a certificate, regardless of whether it is self-signed, from an "official trustworthy.CA" or in another such as CACert or others.
What I am concerned with is the issue of trust. Encrypted communication is one thing, but am I really exchanging data ....
@ThatPrilla @Some_Emo_Chick ... directly with the right person and/or is there someone in between snorkeling data or exchanging content?
Years ago, a Czech security company developed a Firefox browser plugin that could be used to check the validity of the certificate used via TLSA. You could be sure that the connection was secure and that you were communicating without a MITM attack.
As they say so aptly here, trust and control are the basis of secure and confidential communication.
...
@ThatPrilla @Some_Emo_Chick And that's what it's all about for me personally, no more and no less. And with many websites (operators) I lack this relationship of trust.
@Some_Emo_Chick
Holy time collapse, Batman. Feels like way longer.