Cps available only via http


#1

Hello

In the first certificate, the cps statement is only linked through http. I would suggest making the cps available via https and embed a https link in the certificates.


Let's Encrypt on HTTPS Everywhere
#2

Hi @erik, you can access the policies over HTTPS at

https://letsencrypt.org/repository/

There is some policy reason that the links in the AIA section of the certificate are HTTP instead of HTTPS. In the future, we may be able to use HSTS to guarantee that more users will access our policies over HTTPS in practice.


#3

I think a rule in HTTPS Everywhere also helps :smile: :


#4

As noticed in the https everywhere rule http://letsencrypt.org/repository now redirects to https.
I don’t know why - especially because of the reason @schoen stated, which can’t be changed such fast.


#5

it’s probably HSTS aka “I was there and I know this site wants to be called by HTTPS”


#6

I tested it with curl. There is (also) a 301 redirect.
Besides this letsencrypt.org uses HSTS which would also redirect this so that’s right.


#7

I think references to CPS links are officially supposed to be presented as HTTP to avoid cases where people are unable to read them because they don’t already trust the certificates in question. Of course, we also serve our policy documents over HTTPS and encourage people to access them over HTTPS where their local configuration permits.


#8

well the LE main site is protected using Identrust so I dont think that matters here.


#9

I just saw how this issue might have been resolved: They just used another subdomain only for their legal document there.

http://cps.letsencrypt.org/

It seems to be a Akamai server and is only available via HTTP (HTTPS causes an domain mismatch error).


#10

Iwouldnt call this “resolved”, it should also be able as https for the people who DO have them trusted (with identrust that would be quite a large number) because anyone could modify the HTTP-transferred documents in question.

nothing against HTTP access but http-only is bad.


#11

You’re forgetting the bootstrapping problem. If you start out by trusting no CAs, how are you going to read the certificate practice statements to figure out which CAs you want to trust?

To be fair, nobody sane would actually do that. But it needs to be possible.


#12

that’s why I said that I have nothing against http access in general, the problem is that is is http only.


#13

Did you even read the beginning of this thread?
As I said http://cps.letsencrypt.org is HTTP-only, but here (archive link, get the most up-to-date link from this site) you can read the exactly the same document over HTTPS.


#14

I thought in the resolved part it means now that the stuff is only at the cps domain.


#15

No don’t think so. Why should they do this?
The CPS is clearly part of the “Policy and Legal Repository”.