{"items": [{"author": "Tomer", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780670497942", "anchor": "fb-780670497942", "service": "fb", "text": "Yet you linked to the http version of your site :(", "timestamp": "1460551789"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780670497942&reply_comment_id=780675692532", "anchor": "fb-780670497942_780675692532", "service": "fb", "text": "→ I'm still HTTP by default for now, until I'm more confident in the renewals.", "timestamp": "1460555841"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312", "anchor": "fb-780720213312", "service": "fb", "text": "Do you believe in lets-encrypt? I.e., is it a net good for the world? Should I let my browser trust its certs?", "timestamp": "1460581358"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780722798132", "anchor": "fb-780720213312_780722798132", "service": "fb", "text": "→ * more HTTPS is good
* LE is doing the same level of verification as all the other CAs
* LE is way more pleasant to use because it's automated
* LE is improving the market, effectively pushing their competitors to support the automatic protocol
* Why shouldn't your browser trust their certs?", "timestamp": "1460582797"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780724090542", "anchor": "fb-780720213312_780724090542", "service": "fb", "text": "→ It's point 2 I wonder about -- is this true? Can I not set up creditcardharvester dot com and just get people to type their credit card info since I have the green lock in the address bar?", "timestamp": "1460583403"}, {"author": "Josh", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780724978762", "anchor": "fb-780720213312_780724978762", "service": "fb", "text": "→ What's stopping you from doing that right now? You can get a free cert from StartSSL, or pay a couple bucks from any of a dozen other options.", "timestamp": "1460583741"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780725198322", "anchor": "fb-780720213312_780725198322", "service": "fb", "text": "→ I'm just saying -- if we could trust CAs to do due diligence on the sites they issue certs for, we wouldn't have that particular problem -- we could tell people \"if you see the green lock you can trust this site\" (for some reasonable definition of trust).", "timestamp": "1460583856"}, {"author": "Josh", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780725273172", "anchor": "fb-780720213312_780725273172", "service": "fb", "text": "→ Sure, I just don't see how Let's Encrypt changes that math at all. How do you trust any CA?", "timestamp": "1460583890"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780725961792", "anchor": "fb-780720213312_780725961792", "service": "fb", "text": "→ @Alex: What sort of diligence would you like to see? HTTPS doesn't mean \"you can safely enter your credit card info\"; it's a necessary but not sufficient sort of thing.
Extended validation certs are kind of like what you're asking for, but even then it's still mostly just about making sure the cert really is being issued to the site they're supposed to be issued for.", "timestamp": "1460584220"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780726176362", "anchor": "fb-780720213312_780726176362", "service": "fb", "text": "→ (There isn't actually a reasonable sense of trust that comes to mind for me: what sort of trusting do you want?)", "timestamp": "1460584297"}, {"author": "Josh", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780726321072", "anchor": "fb-780720213312_780726321072", "service": "fb", "text": "→ It's simple, you just need to find a friend who has a friend who has a friend who has a friend who is the sysadmin at your bank and can vouch for the cert in question. Then you just need to establish some sort of chain (or... \"web\" maybe...?) of trust between the two of you.", "timestamp": "1460584438"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780726815082", "anchor": "fb-780720213312_780726815082", "service": "fb", "text": "→ @Josh: Web of trust ideas aren't trying to solve \"are these people trustworthy\", which is what Alex is asking for. It's just another way of verifying that you're talking to the people that you think you're talking to.
When Alex registers creditcardharvester.tld and gets a cert, from LE or any other CA, it's just to prevent other people from impersonating cch.tld, nothing more.", "timestamp": "1460584877"}, {"author": "Josh", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780727378952", "anchor": "fb-780720213312_780727378952", "service": "fb", "text": "→ Yeah, simply having a cert (even the most comprehensively validated EV cert) does not mean you aren't a bad actor. To prove that, you need a PCI audit... /s", "timestamp": "1460585251"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780727453802", "anchor": "fb-780720213312_780727453802", "service": "fb", "text": "→ @Josh: But many kinds of bad actors can still pass a pci audit.", "timestamp": "1460585303"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780805447502", "anchor": "fb-780720213312_780805447502", "service": "fb", "text": "→ @Jeff: I suppose that approach would reduce to a philosophical question: what's the difference between a bank and a loan shark?
But seriously, I think at least \"this hasn't been marked a spammy website by too many people\" might be a good place to start. If people use your site then you do something bad with their data, you get your cert revoked.", "timestamp": "1460644765"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780805627142", "anchor": "fb-780720213312_780805627142", "service": "fb", "text": "→ (2/2) And, crucially, you'd have to give them some identifying information that prevents you from just making more spammy sites.", "timestamp": "1460644899"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780808815752", "anchor": "fb-780720213312_780808815752", "service": "fb", "text": "→ This is just not what certs are for? If you do too much bad stuff you should get shut down legally or added to the safe browsing blacklist (browser enforcement), not be forced to communicate in cleartext.", "timestamp": "1460646709"}, {"author": "Alex", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780836610052", "anchor": "fb-780720213312_780836610052", "service": "fb", "text": "→ @Jeff: a cert not only enables secure communication with whoever has the private key, it also proves that some third party vouches for an assertion the private keyholder is making, namely that they own a domain. There's no reason the assertion couldn't be something stronger.", "timestamp": "1460660035"}, {"author": "Jeff Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780842493262", "anchor": "fb-780720213312_780842493262", "service": "fb", "text": "→ Why make secure communication dependent on this vouching? If you want to make this mandatory, make it part of buying a domain.
(There's also nothing that keeps someone from switching what they use a domain/cert for once it's issued. So safe browsing lists like Chrome's make more sense because they can be updated as sites change.)", "timestamp": "1460663335"}, {"author": "Taymon", "source_link": "https://www.facebook.com/jefftk/posts/780664055852?comment_id=780720213312&reply_comment_id=780847782662", "anchor": "fb-780720213312_780847782662", "service": "fb", "text": "→ I think the real concern here is with impersonation attempts that rely on users' not realizing that the domain name they're looking at isn't the right one. This could be through visual misrepresentation (IDN homograph attack, typosquatting, doppelganger domains, or just something like paypa1.com for unsophisticated users), or worse, a user might be dealing with a new merchant and not know which domain name is the real one. DV certs cannot be expected to protect against this (Let's Encrypt checks against Google's known-phishing-domains API but they admit that's not much of a defense).
On the other hand, I would hope that no CA would issue an EV cert for such a domain. I'd like to see a norm where we tell users not to provide valuable information like credit-card numbers except through an EV cert, but I worry that too many legitimate merchants don't have EV certs and we wouldn't be able to get them to go along with this.", "timestamp": "1460665470"}]}