Sign in / up

back to article Let's Encrypt updates certificate automation, adds splats

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system. Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate. ACME is the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    "...admins will have to edit a DNS record to prove..."

    FSBInternetServices.ru is pleased to announce the immediate availability of a brand new, state of the art, and totally free, Domain Name Service (DNS) offering.

    Vee, excuse me, WE are happy to provide this DNS service as a free service. The records will be absolutely totally secure, and there's no way that vee... WE would be able to temporarily make any changes to your domain's records while you were asleep, or even redirect any obviously-associated challenge follow-up inquires to a trivial sandbox, especially if they happened to be arriving from any known Certificate Issuing agency. Vee'd never do that.

    3 17 Reply
    1. mr_splodge
      Reply Icon

      Re: "...admins will have to edit a DNS record to prove..."

      You do have to wonder about the security of the established domain validation techniques. How many DNS hosting providers have mandatory multi-factor authentication on their web portals? I'm yet to find one.

      2 2 Reply
      1. talk_is_cheap
        Reply Icon

        Re: "...admins will have to edit a DNS record to prove..."

        >> How many DNS hosting providers have mandatory multi-factor authentication on their web portals?

        Well dnsmadeeasy offers it as an option.

        2 0 Reply
      2. Jonathon Desmond
        Reply Icon

        Re: "...admins will have to edit a DNS record to prove..."

        Digital Ocean provide free DNS hosting (well, it's good enough for me), and they have 2FA.

        You can also automate the Let's Encrypt process using a DO API key.

        2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "...admins will have to edit a DNS record to prove..."

      Ruskies playing catch-up. Cloudflare has had this feature set for years :-p

      0 0 Reply
    3. Hstubbe
      Reply Icon

      Re: "...admins will have to edit a DNS record to prove..."

      Why go through the trouble? Check the list of ca's your browser trusts. I bet you'll find the russian stae-owned one in there. And a few usa controlled ones. And what about China? They can all print random certs at will.

      1 0 Reply
  2. razorfishsl

    Potentially this is dangerous,

    since you could launch servers under a companies existing SSL that are

    malware , but have a valid ssl /https encryption to tunnel thru AV software.

    so for example I could launch a https server under the domain WITHIN the network and then use https encrypted tunnels to corrupt other workstations within the organization , without it triggering any network or firewall alarms.

    0 16 Reply
    1. Graham Dawson Silver badge
      Reply Icon

      Which bit is dangerous? The wildcard?

      4 0 Reply
  3. Tom 64

    Wildcard certs

    Not having these was a big pain in the backside before. I can see a much bigger uptake now these have been added.

    16 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Wildcard certs

      > Not having these was a big pain in the backside before.

      I wouldn't say that. At least not if you have the right instrumentation.

      What this does, it opens up new possibilities such as securing¹ dynamic hosts.

      ¹ For the level of security that TLS is able to provide.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like