Fake X1 vs testing environment

We are using cert-manager to issue certificates in k8s from LE staging on a HSTS domain. Chrome requires us to have a valid full chain. So we have added the Intermediate and Root to each developer trusted store but now as stated in the staging environment docs…

Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing

What means not safe here?
What sould we do considering HSTS domain and considering we are under heavy development (so k8s certificate is deleted and recreated ofter in a week)

You can bypass the HSTS error in Chrome by typing thisisunsafe when presented with the untrusted certificate UI.

Perhaps this is mildly inconvenient, but at least it does not require adding an untrustworthy root to your developers’ trust stores.

2 Likes

oh my … I didn’t know that!! :slight_smile:

it’s unconvinient that it is not possible to add certificates to specific browsers

1 Like

firefox has its own trust store, and add your cert into it.
maybe make a name restricted root certificate for your test domain/tld?

The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don’t know of any such attacks, we’re not taking the same kinds of precautions to prevent them that we would with the regular CA.

For example, someone might be able to hack Let’s Encrypt infrastructure or trick a Let’s Encrypt employee in order to get access to the staging signing key (something that would be dramatically harder for the regular CA). Or Let’s Encrypt might introduce a new experimental validation method in the future and test it first on the staging service, and it might turn out that the new method is insecure in some way.

Another kind of reason not to do this on a regular browser is that if you accidentally set up a production version of your own site with a testing certificate rather than a production certificate, it would be harder for you to notice that you’ve done so if your browsers accept the testing certificate with no error!

The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don’t know of any such attacks, we’re not taking the same kinds of precautions to prevent them that we would with the regular CA.

who is “we” in this context? EFF? ISRG?

In this context, “we” is the Let’s Encrypt service.

1 Like

Thanks @schoen for the detailed explanations. I though there was couple of reasons but I couldnt figure them out except for the fake certs attacks.