Wildcard certificates: Convenience versus Security

I understand how a Wildcard certificate has its own needs and good usage, but from a security standpoint, which almost all the time is overlooked either by lack of knowledge, experience or interest, cannot wildcards certificates be some sort of an “advanced” feature instead of “just another option”?

I get the point providers are now cutting costs because certificate from LE are automated and free versus spending 000’s on Verisign and their likes, but this is creating a false sense of security to the untrained advanced users calling themselves “admins”. Yes, everything is now encrypted, so “middle finger to NSA”, but so are the problems whenever a bad actor spawns a service running inside your network, redirects traffic to that new service and you have no clue because it looks completely legit, SSL encrypted with a very valid certificate.

Most of the recent security issues were coming from inside the company, where everything is trusted by default, and now with a certificate matching the world and dog, this will open a huge can of worms.

Shouldn’t users get, at a minimum, a “consent” form, even if as a clause at the ToS they agree without even reading, that wildcard certificates can end up being worse than having no encryption?

This has been a question on other certificate providers for over 10 years, so we are not looking for anything new here - except the fact cost is now zero.

They are. You’ll need to configure the DNS challenge to obtain one, rather than a simple HTTP request.

While I mostly agree with the rest of your post, I think the point is moot. I’m not even sure what needs discussing. If you lose control of your internal network, yep, that’s bad, and doesn’t have much, if anything, to do with the cost of certificates.

The question of “isn’t having no encryption better than having it [if a bad actor takes over]” is nigh unanswerable without a well-defined threat model. We can endlessly say things like If This, and If That, but it won’t do a whole lot to improve things without some expertise in a particular situation to consider.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.