Let's Encrypt - starting to offer wildcard certs in januar 2018

Discussion in 'Smalltalk' started by sjau, Jul 6, 2017.

  1. sjau

    sjau Local Meanie Moderator

    Hi there

    I just read about this:

    "Let's Encrypt, the free and open certificate authority (CA) launched as a public service by the Internet Security Research Group (ISRG), says it will begin providing free "wildcard" certificates for Internet domains in January 2018. Wildcard certificates allow anyone operating a domain to link a single certificate to multiple subdomains and host names within a domain. That means a single free certificate could be used to provide HTTP Secure (HTTPS) encryption of pages on multiple servers or subdomains hosted on a single server, significantly lowering the barrier for adoption of HTTPS on personal and small business websites."


    This is good news :)
    elmacus and florian030 like this.
  2. Loveless

    Loveless Member

    It's also bad news, depending on your view on security.. Think about it, if you worked at IBM, and you were in the accounting group, you could ask for a domain certificate issued to awesomesauce.accounting.ibm.com. But before they would issue that certificate, you would need to prove that you own that specific domain, by entering a specific DNS entry, or hosting a unique file on the webserver that proves you control it, or a few other automated ways.
    If you asked for a wildcard certificate for *.ibm.com, how could they verify that you owned all of the subdomains? They couldnt via automated means. And if they did issue a wildcard certificate, you could use that to act as ANY subdomain on ibm.com, which could be taken advantage of. With a wildcard cert, you can act as password.ibm.com, or ad.ibm.com, or any other critical site, and decrypt the traffic of clients coming to that server.
    They are doing amazing work at promoting HTTPS, but issuing wildcards will undoubtedly lead to a lot of collateral damage. Time will tell.
  3. sjau

    sjau Local Meanie Moderator

    As far as I see it'll be DNS challenge only (at the beginning). If you can control the DNS zone file for a domain, you can point any subdomain to wherever you want. I don't see a problem.

Share This Page