Fake X1 vs testing environment

pluqueTheLuxe · August 15, 2019, 11:55am

We are using cert-manager to issue certificates in k8s from LE staging on a HSTS domain. Chrome requires us to have a valid full chain. So we have added the Intermediate and Root to each developer trusted store but now as stated in the staging environment docs…

Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing

What means not safe here?
What sould we do considering HSTS domain and considering we are under heavy development (so k8s certificate is deleted and recreated ofter in a week)

_az · August 15, 2019, 12:21pm

You can bypass the HSTS error in Chrome by typing thisisunsafe when presented with the untrusted certificate UI.

Perhaps this is mildly inconvenient, but at least it does not require adding an untrustworthy root to your developers’ trust stores.

pluqueTheLuxe · August 15, 2019, 12:21pm

oh my … I didn’t know that!!

pluqueTheLuxe · August 15, 2019, 12:23pm

it’s unconvinient that it is not possible to add certificates to specific browsers

orangepizza · August 15, 2019, 12:39pm

firefox has its own trust store, and add your cert into it.
maybe make a name restricted root certificate for your test domain/tld?

schoen · August 15, 2019, 6:11pm

The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don’t know of any such attacks, we’re not taking the same kinds of precautions to prevent them that we would with the regular CA.

For example, someone might be able to hack Let’s Encrypt infrastructure or trick a Let’s Encrypt employee in order to get access to the staging signing key (something that would be dramatically harder for the regular CA). Or Let’s Encrypt might introduce a new experimental validation method in the future and test it first on the staging service, and it might turn out that the new method is insecure in some way.

Another kind of reason not to do this on a regular browser is that if you accidentally set up a production version of your own site with a testing certificate rather than a production certificate, it would be harder for you to notice that you’ve done so if your browsers accept the testing certificate with no error!

orangepizza · August 15, 2019, 9:08pm

The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don’t know of any such attacks, we’re not taking the same kinds of precautions to prevent them that we would with the regular CA.

who is “we” in this context? EFF? ISRG?

schoen · August 15, 2019, 9:59pm

In this context, “we” is the Let’s Encrypt service.

pluqueTheLuxe · August 19, 2019, 12:08pm

Thanks @schoen for the detailed explanations. I though there was couple of reasons but I couldnt figure them out except for the fake certs attacks.