Hello
Certificatedetails.com publish decrypted Let’s Encrypt – and other – certificates.
Does this have an impact on security ?
exemple :
Thank you in advance !
Websites like this get their certificate information from Certificate Transparency. This initiative actually improves the security of the Internet in a lot of ways.
Comodo, another certificate authority, has their own version: https://crt.sh
So does Google: https://www.google.com/transparencyreport/https/ct/
A copy of your certificate is sent to everyone who visits your website, so it contains nothing secret. In fact, it isn’t all that difficult to scan the entire IPv4 address space and collect all the certificates, and some projects have before.
Let’s Encrypt has always submitted its certificates to Certificate Transparency and it informs you that it does so as part of the Terms of Service you agree to when running client software for the first time.
5 Likes
Patches did a good job of explaining the policy. But you might still wonder why this policy is OK. The contents of a certificate can be quite intimidating to interpret and there are some big numbers inside which might intuitively seem as though they ought to be secret but not so!
Before you obtain a certificate, from Let’s Encrypt or another public CA, you will generate (or more likely use software to do this for you) a pair of keys, a Private Key and Public Key. The clever mathematics of Public Key cryptography mean that nobody except you (and your server software) need ever know what the Private Key is. Certbot software puts it in a file named privkey.pem for example. It’s never sent anywhere, you shouldn’t tell anybody what it is. That includes Let’s Encrypt themselves. The Public Key on the other hand can be shown to everybody. And the Public Key is what’s inside the certificate, that’s the huge number.
Let’s Encrypt takes that Public Key, it checks you really control the named machines you said you did, and then it makes a certificate saying this is a Public Key for those names, and signs it (using public key mathematics again). Your server can present this certificate to visitors, and use its Private Key to prove it’s the right server, an imposter can’t succeed because they don’t know your Private Key, and if they make a different Private Key it won’t correspond to the Public Key in the certificate from Let’s Encrypt.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.