Heads-up to those with WoSIgn & StartSSL certificates
5Hi folks, if you have any certificates from either of those companies, replace them ASAP, because as of Chrome 61 (mid-September), those certificates will all be marked as untrusted.
It’s rather likely this will also happen in other browsers as well- a subset of the certificates are already not trusted.
https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
- 2 comments, 11 replies
- Comment
As an addendum, if you only need a Domain Validation (DV) certificate I’d strongly suggest using Let’s Encrypt. The certificates are free and if you’re on a host actively trying to support the service they can be easy to install. If you have a domain without an SSL certificate I’d also recommend using Let’s Encrypt. SSL will improve your search engine rankings and make your users less susceptible to attacks or eavesdropping. Some hosts don’t make it easy to use Let’s Encrypt, often because they’re trying to sell SSL certificates and this free service undermines their product line (long but good read). I’d suggest moving hosts in that case if practical. I suspect market forces will win and expand support even to those who actively are fighting it, but you can start saving money now and help encourage its wider adoption. I recently moved myself. You may find this list of providers who actively support Let’s Encrypt useful in picking a host that’s right for you.
@jqubed I heard on a podcast (sorry don’t recall which) that Lets Encrypt is adding wildcard DV certs. That will make them even more useful.
@duodec Yes, in January IIRC
@duodec Now if only my stupid Asus router would get a real certs via let’s encrypt or some cool magic like the plex guys did, life would be good.
Someone needs to figure out how to get trusted for home private network TLS/SSL for the admin interfaces for all these smart devices.
BTW, the Plex solution is brilliant.
@mike808 there would be no point. Your asus router does not have a unique domain.
The thing that a cert gives you is some confidence that the server you’re connecting to really is google.com, and not the NSA or some other evil organization. If you connect to 192.168.1.1 from inside your own network, it’d be a neat trick to have that not be your router.
It’d further be kind of pointless / hard for a certificate authority to actually add any confidence to what you already have, practically speaking. How do they know that you at home are really, “Mike’s router” … vs “no, no, not that Mike. He’s two houses down with his identical non publicly routable web server.”
Oh, and you could look into certificate pinning. That’d be more trustworthy than involving a Certificate Authority in any case.
@InnocuousFarmer Youre missing the point. I just want my browser to trust the certificate my router has to secure its internal admin web interface with. So that hostile IoT devices (like a compromised security cam) aren’t trying to attack my router. Or the admin web interface for those web cams.
Yes, it’s not publicly routable. The browser doesn’t know that. But it also doesn’t trust self-signed certs or other CAs that I //MUST// manually add, however Joe Mehrica has to do that, for every system and device in his home network that needs a secure web admin interface. Not everyone is a network engineer or a PKI expert.
And my router does have a default domain hostname - router.asus.com.
Since only the public CAs are trusted by default in browsers and devices, the cert must come from one of them. Plex solved the problem with a custom DNS nameserver and a convention. It’s tied to your Plex account, so there’s no reason any other device or even generic account-based service couldn’t do the same, and give everyone free //usable out-the-box// secured admin interfaces for any home network device, from your smart TV (with your Netflix, Amazon, Hulu, HBO2Go, etc credentials stored in it, possibly with payment info), your security webcams, to your router, thermostats, IoT devices, Amazon, Google, or Apple audio controlled devices. As in “Alexa, order three seventy inch tee vees and deliver to … Romania …”. Or use your router to redistribute illegal content or use your devices to mine bitcoins.
That’s why its important. Not that we shouldn’t do it just because there is already a far more technical way to DIY. We didn’t say “don’t bother with farming with tractors because we already have slave labor”, did we?
Securing home networks should be the default, not the exception, or require deep technical expertise and skill.
@InnocuousFarmer “The thing that a cert gives you is some confidence that the server you’re connecting to really is google.com, and not the NSA or some other evil organization. If you connect to 192.168.1.1 from inside your own network, it’d be a neat trick to have that not be your router.”
If I have a publicly trusted certificate for “my.device.io” where the DNS for device.io resolves to 192.168.1.68, then 1) my browser doesn’t complain with scary warnings, and 2) that IP is on my network, so yeah, it //really is on my network// and not somewhere else. That’s the point.
PS. Please read how Plex did this and gave everyone FREE PUBLICLY TRUSTED certs for securing with TLS/SSL your internal network connections from the Plex clients. They also get bonus points for securing external connections to your Plex server as well, regardless of your home’s external IP address.
There is no reason this can’t be done in the exact same way for every device on your home network with an admin interface that should be secured out-of-the-box from day zero by design.
@InnocuousFarmer "you could look into certificate pinning"
I don’t want to have to figure out how to make whatever device I’m working with do that, even if that were possible (HPKP is a server feature and therefore controlled by the device manufacturer, not the device user/owner), and I don’t want to have to mess with CAs either.
I don’t want to have to look into anything. It should be just part of the device and work with any browser by default. I shouldn’t have to register a domain, setup a split-horizon dyn-dns just to run a smart TV or a security cam on my home network, plug it in and it works and it is secure, and not have to worry about the browser-based admin interface getting hacked - by other devices with shitty security that the manufacturer doesn’t tell buyers about just how shitty their security (or total lack thereof) is, which is pretty much all of them.
But it’s a chicken and egg problem. If your device needs a certificate, where do you get one (what CA will issue it) and how do you deliver it or setup your service DNS binding to pass the browser sniff test (URL hostname = server cert CN or SAN)?
That’s what Plex solved, and it is brilliant, because it can be scaled to any other system. For the price of a domain name.
@mike808 From what I heard Plex spent a lot of money to get that kind of certificate- they are not just issuing certificates, but are actually some sort of CA themselves- restricted to this particular thing, but nonetheless.
Also, I think it’s more likely you’ll run into XSS or straight-up exploits than anything around certificates. As long as your device is properly issuing and validating it’s own self-signed certificate, and not using outdated tech (not exactly a given), you’ll be fine.
@dashcloud Plex probably spent less than you think. It’s not my device that is validating the certificate, it’s the client. That means dicking around with my browser and seeing dire warnigs about Teh H@kkerz if I even can dick around with the browser. e.g. the Opera browser in a Nintendo Wii or PS4 or a cable box.
Which is what I’m trying to avoid. All I’m saying is that Plex did it the right way, and there’s not really anything stopping someone from doing the same for all home network devices. And maybe getting them from a sub-CA from Let’s Encrypt would be more affordablr than buying one from Digicert like Plex did. LE just wasn’t ready when Plex’s plan was already in motion. Now they are.
@mike808 Could pointing a domain to your router using dynamic DNS work?
Edit: nevermind, I read your later post
My server cert seems valid.