Isn’t transparency one of the important goals of LE? ISRG even publishes a legal transparency report. So, not publishing such a list is definitely not being totally transparent. There is the reason: Absolute Transparency in everything.
it is not JUST LE’s list.
LE uses both their own list of “high risk domains” and the Google Secure Sites or whatever that was called.
there were already here and there questions on why their name was blocked (there was somebody with a ing domain and seemingly didnt know that there was a bank with that name, maybe it isnt known on his part of the world) and what got even more confusing is that the list was changed and it worked before.
I think we need a nice little talk about security by obscurity.
let’s look at this from another perspective:
guess why Linuxes are usually quite a bit more secure than for example Windows? well I would say because they are open source and anyone can point out flaws and even fix it and if someone does junk, the next one will straight remove it.
The following wouldnt apply to an LE Blacklist but let’ss say this: a closed piece of software could easily try to phone home or the gov while in open source software each transmission can be seen because people can just follow the code.
let’s hope this is a joke.
even if I dont like it that much, LE is THE CA for automation, dont say that it takes something serious to publish the list.
depending on the format I could write a PHP that reads and renders the list even realtime if you want.
also such a list could be commented so people know WHY their name is in the list. because sometimes it is not widely known for that person’s environment (for example who expects from a chinese to know all about the services of google or anything else that is usually blocked by the Great Firewall of China.)
There is a huge difference between source code ( in which I agree totally the openness helps ensure linux is a little more secure) and data.
Having the source code for SSH available to everyone makes it much more secure. Providing everyone the data I use for my public / private key doesn’t though.
Having the process by which LE checks your domain for proof of ownership open source makes it much more secure. Specifying exactly which IP address it would always check from makes it less secure - hence that information isn’t published and LE state that they may use TOR or a similar method to ensure it’s from a randomized IP address.
The list is basically a list of high-profile financial institutions, tech companies with a security focus, commonly targeted e-commerce sites, major social networks, certificate authorities, and some sites prohibited by the U.S. Treasury Department’s SDN list.
well their IPs are something different than the blacklist.
the IPs are something LE cannot easily change to something desired and a whitehat cannot really do anything anbout it. but for the blacklists a whitehat cna point out those gaps and help LE fix those.
Providing everyone the data I use for my public / private key doesn’t though.
but then again most implementations on how people generate their keys are open source
the exact generation data for your key is secret and random becausethat is what is used to encrypt but the algorhythms are mostly open source. who would have thought about the debian weak keys issue.
before we get to the source vs list issue: the list is essentially an “algorhythm” to determine what domains are okay and what are not, so I think it would count here as a thing that should be public, again as I said as this allows whitehats to fill gaps. but what could also be done would be instead of a full list of each and every alteration that a user could enter their name and get the fitting entry so that for example that windowsupdatewhateversomething gets shown that it has association to windows and therefore is blocked.
@josh what is that SDN thing? when I just did a quick serach on “SDN” I mostly found software defined networking. is that such a bad thing it needs to be banned
Exactly as been done here. The “algorithm” or methodology has been stated …
The pure data hasn’t.
Specially Designated Nationals List (SDN) - https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx
Transparency [total transparency, and absolute transparency] was achieved when stating such a list exists, and when further disclosing information about ways in which that list is populated.
One does not need to divulge the specifics of internal security processes in order to be fully transparent – especially when the act of doing so would likely undermine their efficacy. Additionally, as others stated the lists may contain data assembled by other groups which may be covered by various contracts and non-disclosure agreements.
If the Babel Fish disproves the existence of God, why not?
What are the chances a tech site would have people capable of quoting HHGTTG?!?!
(At least I refrained from farting in his general direction )
I’d think the probability approaches unity, but I guess that assumes older geeks…
Everyone STOP being insulting. Even if you are mad at someone, that doesn’t justify insults at all.
eh no. as I said already there are 2 lists. one is that Google thing and the other one is the list LE maintains
well I dont think exactly. if it would be a static list. a lot of stuff would be able go through way too easily. I believe there are probably some regexes in there and this is an algo no matter how you slice it.
high horse? I was just using linux as an example of open source software being able to be more secure than closed source software. I am not a linux fanboy in fact I use windows for most of my stuff (except win server because these things are so expensive for an individual and wont work on a raspi anyway)
I dont know much about how the servers look but at least concerning malware I guess there is a reason why I have never seen an antivirus for linux, probably because there is very few of that.
also who said that some of those things cannot be averted more or less easily or resulted partially from bad configurations.
for example shellshock only works when the attacker has access to the shell, so well have fun with that.
also on an open source software mistakes can be found more easily by whitehats and blackhats will find it anyway sooner or later. I mean look at flash or internet explorer
@DarkSteve I didnt say linux IS more secure but it CAN be more secure due to the fact that it’s open source and whitehats can help making it more secure.
also closed source software can easily become unsupported or get a certain important update really late. in case of open source software, everyone could provide a patch and in case of software that literally runs as source (like php web software) people can quickly incorperate the change without the need com compiling and stuff.
on closed source software there’s a lot less prople who can look at the source and see different kinds of issues, vulnerabilities and other things.
also in closed source software backdooring isnt really hard while with open source software the next person just can say no and kick that backdoor out again if somebody would try to add one.
also windows server costs more than a THOUSAND dollars (plus tax). if it woouldnt be more secure than a windows desktop they would get probably really bad PR.
This is probably not the best thread to discuss the security benefits of open vs. closed source or Windows vs. Linux. I encourage everyone to stick to the original topic of this thread and remember to keep the discussion civilized.
@pfg I would love to read the link, but well, I dont seem to have permission for that.
also open vs closed is actuially part of the disclose vs not disclose the list (at least in my opinion) because it is essentially the same base principle.
I suspect the link should be https://community.letsencrypt.org/guidelines#agreeable and https://community.letsencrypt.org/guidelines#be-civil
This is about data, not software. That’s like saying you’re running open source software, so you need to make a db dump available to the public.
One can argue that this list should be public (though I see no value), but it’s not the same thing as open source vs. closed source software.
well especially on changes it may explain what’s going on.
and well I see the value that if the community sees holes that they can be reported and fixed quickly.
this will get especially nice when you start doing IDNs.
but if that’s not a choice, if you blacklist a name, add a comment on why it is blacklisted so espeically on changes users know immediately why they are blacklisted.
Trying to separate out the “data” part from the “algorithm / code” part. I’d say;
There is an “algorithm / code” for how the list is produced. There can be an argument for that to be more openly defined as to it’s origins.
The “data” is the list itself. It has no algorithm or anything in it, it is purely a data list.
How the “data” is used, is part of the “algorithm / code”
So from my perspective, comments like
Is part of the code, and a valid point to provide better feedback to a user ( which could be anything from a detailed reason, to please email us at … to discuss why this domain was blacklisted and potentially get it removed"
The original post was “Reasons for not publishing the list”, which to my mind is the data though, and not all the other discussions about how that data is either generated, or used. Those discussions are probably perfectly valid, however as @pfg says is slightly off topic for this specific thread, since the topic is about the “data” not the “software / algorithm / code”
So if the list contain less than 200 entries. This would mean less than 1/5 of alexas top 1k.
Google represent at 2013 on the list 68 entries. And if we look how many people complain
in the forum about an legal owned domain that is blocked i think the list is to strict.
Lets look from the other side:
- LE is public available.
- Anyone can check if you have an LE certificate.
- If you where asked why you do not have one and say: "I can’t i am blacklisted"
I would say this is an negative rating for your service.
On the other hand we can start an topic to build the list. We already have some of the wildcard names.
And some names from the blocked topic lists.