Support for AES encryption


#1

Let’s Encrypt does not support currently AES encryption, so sites with it cannot use Let’s Encrypt.
This security system is presented in many free hosting providers and makes it more dificult for users to use them.


#2

Umm, I’d ask you to clarify your statement a bit, because the certificate has nothing to do with determining the ciphersuite. AES is part of several ciphersuites that can be used by a TLS connection after the handshake, but a certificate itself is neither an AES key, nor does it rely AES for anything. This goes for any TLS certificate, not just Let’s Encrypt certificates.

I think you’re misunderstanding part of the process, so if you could explain what issues you’re having we’d be glad to help get you on the right track! For example, this forum uses a Let’s Encrypt certificate, and I’m connected to it currently using the AES_128_GCM cipher.


#3

@jared.m
I mean AES from the SlowAES project, the aes.js files.

  • aes.js: implements AES - Advanced Encryption Standard
  • from the SlowAES project, http://code.google.com/p/slowaes/
    Sites already using it cannot install Let’s Encrypt
    This is the code used in such websites:
    <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("d3c143e907c1d71f78f0018d7dbf3ac7");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://example.com/?i=2";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>
    You need javascript to visit the site, and thus Let’s Encrypt cannot do so because it does not execute JavaScript code.

#4

Ah, that’s very different. I can almost promise you that’s not going to change from a Let’s Encrypt side. The correct implementation here is to either set up your web server to not apply this restriction to the .well-known/acme-challenge directory, or use the dns-01 challenge type.

This is the same issue that people run into using “browser-validating” DDOS protections - they’re designed to block non-browsers from access, which is exactly that the Let’s Encrypt validation authority is.


#5

Isn’t there anything that can happen by their side, implement something like Search Engines do in order to crawl the site?


#6

Nope…

All codes are(should) executed in server / client side… Let’s encrypt only took part in the certificate (even cipher & protocol & security settings are set by the server) so it should be the server’s responsibility to support it.


#7

To be a bit more specific, it’s certainly possible for Let’s Encrypt to implement a Javascript engine on their validation engine, strictly speaking, but there are significant technical reasons that this won’t happen, from both a practicality and security standpoint. As such, even though I am not affiliated with Let’s Encrypt or the ISRG, I still feel confident in assuring you that no, this will not change.

If you’d like assistance in either setting up your system to either use the dns-01 challenge or re-configure your web server to allow direct access to the challenge directory, feel free to open a new topic. We’d be happy to help you!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.