YAAC Wrapper Needing Improvement

Hi all,

We have created a Free Let's Encrypt SSL Certificate Generator interface where anyone can host it locally & generate an SSL.
aitrex .com/ freessl.php

Hope it's useful, feel free to share feedbacks too.

Thanks for the effort you probably spend on that project.

However, I do have some feedback about your site and you're probably not going to like it:

While I haven't read too much source code, it looks like the private key is generated on the server and NOT on the client side (I don't see any cryptography in js/customscripts.js), which is an unexcusable security issue.

Now, there are some other possible improvements I think, but unless the private key is only and easily demonstrably generated on the client side, there is no room for this certificate generator to begin with I'm afraid.

5 Likes

Hi Osiris,

Thank you for your valuable feedback.
We used the library GitHub - afosto/yaac: Yet another ACME client: a decoupled LetsEncrypt client to develop this project.
As per their documentation, it is generated on the server side. Hope it is ok.

No, it definitely is NOT I'm afraid.

For security matters like certificates, there must be no doubt about the security of the private key and that private key must NEVER be generated anywhere other than the client side.

As trust is everything, you can SAY you won't store the private key, but how and especially why should we believe you? The only way to tackle this, is to never have the private key demonstratable on the server site, but only on the client side. I.e.: it is generated by the webbrowser and is never even send to the server.

6 Likes

Exactly, trust is everything.
The primary goal is to assist developers with minimum knowledge in generating an SSL.

As you mentioned about the data concern (no data is stored anyway), we are thinking of posting the GitHub repo so that anyone can host it locally and generate it. Hence the data will be generated in their own local server.
If they can't host they can still use ours. Up to them to decide.

1 Like

That would be a good solution from a security standpoint indeed. If everything is local, there's no issue.

That would be indeed up to the user, but note (to users) that even if you claim the code is 1:1 the same as on the Github repo, that can't be proven, so technically there is still the security issue if the user decides to use your website :slight_smile:

4 Likes

I'm sure this comes from a place of trying to help people, but I can't help but ask, "why?" Even leaving aside the question of whether browser-based clients are a good idea (they aren't for many reasons, which is why they aren't included in the client list), and further leaving aside the question of whether this project is implemented securely (per your own statements, it isn't), there are already lots of other such clients/sites out there. I'm not going to give links for the same reason that the client list doesn't--they're strongly discouraged--but a web search for something like "get let's encrypt certificate online" pulls up several such pages.

If this is something you think people need (and I'd strongly disagree with that, though I recognize people think they need it), why go to the trouble to build your own when there are at least a half-dozen others already out there?

5 Likes
  1. "why?" - most of them requires login and limited to few domains without paying for premium. Except very very few companies/freelancers.
  2. "implemented securely" - yes, it is implemented securely that no data is stored anywhere except for processing. Not sure why you said "it isn't".
  3. "why go to the trouble to build your own" - due to #1, we are using it to generate SSLs for our clients.

We use "Yet another ACME client" from the client list PHP section ACME Client Implementations - Let's Encrypt

I am really not sure, when something helpful comes up, everyone here seems to be discouraging it.

As already said, your word for this is nearly not enough. The code has to be auditable by the user in the browser for any webbrowser based service to be reliable.

With regard to the online service offered on your website: only when the implementation is a bad idea. Sorry. You might have wanted to do a little bit more research on this topic before starting this project (especially security wise, it has been covered numerous times on this Community already), unless you wanted to do so for yourself anyway. I do NOT recommend it for any other users what so ever.

There are webbased services out there which are actually secure (i.e.: let you do the key generating locally by yourself), but even those are discouraged as it's always better to have an automatable ACME client in a "set up once, don't bother it ever again" kind of fasion.

Using the source code locally is fine of course.

4 Likes

I don't understand the security issue which you are mentioning.
If I am downloading the GitHub repo & I am locally generating an SSL in my own system what is the security issue?
You said few mins ago that "If everything is local, there's no issue"
Now you are sayin that "I do NOT recommend it for any other users what so ever."

I meant the online service, not anything locally :slight_smile: I'll edit my post to make that more explicit.

6 Likes

If you understand security, you see why doing it "online" [on some third party server] is very insecure.

Then you should probably remove the "online website" version.

4 Likes

So this is basically a wrapper around YAAC, which, by its very name, essentially promotes the generation of clones that typically don't fill any unique or niche need. If this were at least an independent ACME implementation and not just a wrapper, it might serve as a case study. As it stands, it's mostly just yet-another example of wrapping YAAC.

As for the "online" version, it's (strictly worse than) YAPS.

3 Likes

Additionally, using unfounded phrases like "The Best Design & Development Company" sounds really fishy/phishy.

3 Likes

It is hosted on our company website to showcase a demo. Check the link/even google the company before stating random comments.

People need to see what it is before downloading a repo. It is not on a third party server. It is hosted on our own server. If hosting on AWS GCP GoDaddy etc is a security issue, then 99% of the website should be down.

I think Rudy means "not the server of the user" :slight_smile:

6 Likes

got it, thanks.

3 Likes

Yep. Others running your software on your server is the main problem.

4 Likes

Is the quoted statement made by your company about your company on your company's own website? If so, based upon whose review is that statement qualified?

3 Likes