Why should we use this cert if it doesn't repudiate domain non-ownership?


#1

Howdy, we’re moving our website off an ISP into our own servers. I (webmaster) read about these free SSL certs and wanted to implement it, but our network security folks are pushing back because all the cert does is encrypt traffic and nothing else. It doesn’t guarantee that the client is connecting to our website at our domain. Is that the case? If so, why does anyone use it because the customer would be confused seeing the “green padlock” and yet not being guaranteed they are actually surfing the website they thought they were…

Thanks for all constructive feedback!


#2

Let’s Encrypt provides regular domain validation (DV) certificates - meaning that domain ownership must be verified. The information provided by your network security team doesn’t seem accurate.


#3

Looks like your company’s gonna have some vacancies… :stuck_out_tongue_winking_eye:


#4

Let’s Encrypt requires that you demonstrate control of the domain to obtain a certificate.

If your security folks are worried that they’ve lost control of your network to crackers and your systems have been pwnd, then perhaps they’re more worried about their jobs than they are your security :smiling_imp:

EDIT: What your security folks are describing (“encrypt traffic and nothing else”) is a self signed certificate. If they don’t know the difference between a self signed certificate and a certificate signed by a CA (Certificate Authority), that’s actually pretty bad.


#5

Actually, I’m going to try to be more constructive with my comments.

That padlock does signify that you’re surfing the website you think you are, but it does not signify you’re necessarily looking at the business you think you are. Anyone can get the domain and accompanying certificate for “hottmail.com” or “batle.net” and get a padlock. It’s always up to the user to pay attention to what site they’re on.

It’s not just misspelled domains, either. I could obtain the website mushu.co.uk or mushu-inc.com this afternoon, and get a certificate for it and it would be completely legitimate. It’s up to the users to distinguish whether it’s really you or someone pretending to be you. This is the way the vast majority of CA signed certificates work. They confirm you’re on the website you’re on, not the business you think you’re looking at. This is the way it’s been for over 20 years.

On the other hand, if I have a big enough business, I can obtain an EV Certificate, which not only confirms I have control of the domain, but that I’m actually the business I claim to be (they’ll generally say the name of the business next to the URL). They are ridiculously expensive since they require human intervention, so it’s usually only banks and multinational corporations that have them. Business that really need to demonstrate they are who they say they are.

Your security staff are very wrong, embarrassingly wrong for security personnel!