Could Let's Encrypt ever get distrusted?


#1

I have a question in regards to if our Let’sEncrypt trust / certificates could ever suffer the same fate as these paid EV certificates.

I would think not since every certificate has to be domain validated first.

But these Certificate authorities are in a world of trouble it seems.

Resources :

https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

https://blog.qualys.com/ssllabs/2017/04/05/ssl-labs-distrusts-wosign-and-startcom-certificates

It seems paid certificates are getting distrusted and banned/blocked by Google, Apple, Mozilla, Chrome etc.

So far the List of companies in the blacklist seems to be

WoSign
StartCom
Symantec
DigiNotar

I would hope Let’sEncrypt never gets distrusted since I don’t see how a domain validated certificate could be miss-issued with the way Let’sEncrypt works.

Also if anyone knows any other certificate authorities etc I missed out of this blacklist please do share / say.


#2

Hi @C0nw0nk,

Let’s Encrypt tries hard to work with the root program operators to make sure that we’re always complying with the rules related to certificate issuance.

It is always possible for any CA to misissue certificates, for example because of a software bug. Let’s Encrypt had a minor incident of this sort back in 2015, involving six certificates:

Hopefully there are no other bugs in Let’s Encrypt’s infrastructure that will cause future misissuance events (and there are ongoing audits and testing projects that try to prevent this), but it’s hard to be completely sure that it can never happen.

Many of the conflicts between root programs and CAs in the past involved root program complaints that CAs deliberately violated their own policies or failed to be transparent about problems (for example, trying to cover them up rather than acknowledging them). Let’s Encrypt always aims to be extremely transparent and so this sort of conflict with root programs seems unlikely to me. If we make a mistake, we aim to acknowledge it publicly and work with the root programs as necessary to make sure it doesn’t happen again.


#3

Hey there, @schoen

Thank’s for the information :slight_smile: makes me happy to be using Let’s Encrypt over paid certificate authorities.

It is awesome and makes me glad Let’s encrypt does not try to justify or make excuses and aims to fix the problems as soon as possible.

I don’t know how many millions of certificates are publicly in use by those companies that are getting banned but I saw how many are in use right now by Let’s Encrypt via the stats ( https://letsencrypt.org/stats/ ), It seems to be something that can be extremely devastating to one day see your sites are inaccessible because the trust chain has been broken by the company who provided you a paid or non-paid certificate.

But from what Google provide as evidence the grounds for the bans do come after multiple violations it seems and in the Symantec case it seems they tried to justify it by saying the following.

In the event Google is referring to, 127 certificates – not 30,000 – were identified as miss-issued, and they resulted in no consumer harm.

Even the 127 miss-issued is a large number even 1 certificate is to many for a security company.

Here is their growing blacklist of certificates, chains and CA’s that manage to land/slam themselves in there.

https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl/blacklist/
https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl

I can’t see the Let’s Encrypt certificates you mentioned in there but I guess if the valid date the certificates had on them meant they have expired within the 90 days Let’s Encrypt certificates are valid for that may be the reason.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.