Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Electronic Frontier Foundation Encryption Privacy Security

The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains (letsencrypt.org) 111

Long-time Slashdot reader jawtheshark shares an announcement from the EFF's free, automated, and open TLS certificate authority at LetsEncrypt.org: Let's Encrypt will begin issuing [free] wildcard certificates in January of 2018... A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.
58% of web traffic is now encrypted, Let's Encrypt reports, crediting in part the 47 million domains they've secured since December of 2015. "Our hope is that offering wildcards will help to accelerate the Web's progress towards 100% HTTPS," explains their web page, noting that they're announcing the wild card certificates now in conjunction with a request for donations to support their work.
This discussion has been archived. No new comments can be posted.

The EFF's 'Let's Encrypt' Plans Wildcard Certificates For Subdomains

Comments Filter:
  • Damn, I thought I was going to get first post AND call out a dupe, but damnit I was beaten!

    1 out of 2 ain't bad.

    "Haven't we seen story this before?"

    -JG

    • by Anonymous Coward

      Been using wildcard certs for over a decade. Why this is news?

      If they want to improve things change it so a company only needs to buy for one top level domain (mycompany.com) and any depth of subdomains from that can use the cert (mycompany.com, test.mycompany.com, env1.qa.mycompany.com, etc...).
       

      • by tepples ( 727027 )

        i think the news is that you won't have to spend beaucoup bucks per year for such a certificate.

    • 100% https...3 times...Internet, Intranet & Extranet supported via VPN...gotta keep the vendors happy.
  • by yayoubetcha ( 893774 ) on Saturday July 08, 2017 @12:09PM (#54769739)

    *.yes!

  • I just don't see why it has to wait until January of 2018 to implement.
    • Because they have to implement the support and test it. I'm sure they would love to sprinkle magic faerie dust and it would just work, but that isn't how technology works ... unless you are Agile. Agile is magic faerie dust.
  • I pay $15 per month for VPS web hosting at DreamHost [dreamhost.com] and get "Let's Encrypt" certificates for free on my domains and subdomains. Other options included self-signed (free) and Comodo (paid) certificates.
  • by yayoubetcha ( 893774 ) on Saturday July 08, 2017 @02:05PM (#54770349)

    When Let's Encrypt announced their implementation plan, I recall a slashdotter saying "what about wildcards?" I said, "Give 'em time, they will. However, there is a lot of infrastructure and code that needs to get worked out. Be patient"

    Now, with this announcement they are doing wildcards. No surprise to me. And, I am thrilled.

  • LetsEncrypt is a good idea because it makes certificates accessible to a wider range of users. I've been doing systems engineering work for quite a while, but haven't really concentrated on web stuff. When I got involved with a public-facing web project at work lately, I noticed there really is a lot to the TLS system and certificates once you get beyond internally-trusted certificates. Most places did the legwork for certificate acquisition years ago, but setting something up from scratch requires that you

  • There is no fucking need for EVERYONE to be running HTTPS.
    • by Anonymous Coward

      Yes, yes everyone should be running HTTPS. There is NO reason for any internet connected device to be communicating using HTTP. HTTP is a primary target for "enrichment", redirection and other payload manipulations. HTTPS is the only way to go.

      There is no reason not to use HTTPS. The days of low CPU devices are LONG gone. Recent technology improvements such as QUIC and HTTP2 (over tls) are encrypted by default. QUIC eliminates the round trip time for TLS setups- it's easily as network efficient as H

      • ITs not about CPU usage. Certs add a huge administration overhead, and need to be maintained. A static webpage with some contact info does not need HTTPS. Further, i REALLY dont like the idea that is starting to shape up that if you dont have a cert, you shouldnt be on the web. HTTPS is a tool for SOME jobs, not all HTTP, everywhere. That is just plain retarded. I shouldnt have to get permission from a third party to run a dead simple webpage. There ABSOLUTELY 100% are reasons to not need HTTPS. You are a f
        • Glad to see I'm not the only one going "WTH?". I mean can anybody explain to me why the static page I'm looking at with 70s Mego figures NEEDS to be HTTPS? How about the one I'm looking at with the history of Squier guitars? Anyone? Beuller?

          For every page that could use HTTPS I'm sure there are at least 1000 where it makes no damned sense at all. If the page is static, you don't log into anything there, its just good old txt and jpg...what good is HTTPS gonna do it?

          • In general, that kind of page doesn't need to be encrypted.

            However, encrypting connections to websites makes it harder for bad guys to sabotage someone's connection to the website and injecting malware/ads etc. A free and easy to get and use SSL cert provides some protection for very little cost, hence the push to get as much of the web encrypted as possible.

            There's also an issue where people might be trying to analyse traffic and it could be of some advantage for them to know when you're visiting "secr
            • I dont believe in an internet where you need blessing from a third party to participate.100% HTTPS as the system is currently implemented is outright folly. Let me easily self-sign and ill be more on-board.
              • Self-signing is easy enough but has security issues. The client has no way to determine who did the signing - it could be the website owner or it could be a man-in-the-middle.

                Using HTTPS everywhere is more about protecting client computers (and their data) rather than needing a third-party's blessing. LetsEncrypt is a major step in lowering the barrier to let everyone run HTTPS easily and for free. It's designed to be easy to automate, so all you have to do is set up your web server to allow the specific
                • Again, i dont believe in a web where you need a third party to vett you to participate. Its an INCREDIBLY ugly road. I like the HTTPS initiative, but i hate hate hate people pushing 100% HTTPS. We are all trained in absolutes and exceptions here, dont you think 100% HTTPS could have some nasty downsides?
                  • Nope. A simple analogy would be to use the postal system. Imagine that HTTP is like people sending each other postcards. Anyone can read them whilst in transit and also alter them. HTTPS would be equivalent to everyone sending letters in sealed envelopes (maybe with old-time wax seals on them). Now I understand that you don't want to be funding the BIG envelope corps, but here's an initiative that provides free envelopes (although they bio-degrade after 90 days which some people think is awkward).

                    The bigg
            • Uhhh we haven't been seeing MITM attacks in ages, hell I can't even remember the last time...what we are seeing is state actors which HTTPS ain't gonna do shit about. As McAffee rightly pointed out "Its not the connection to the device its the devices themselves that we are finding are being infected at the source, their production."

              And you still haven't answered the other guy who rightly points out why having the Internet require third parties to "vet you" is a BAD IDEA, hell look at Facebook and Twitter c

              • I've seen MITM attacks at several wifi hotspots. Airports are a particular favourite place for people to set up a rogue hotspot and grab loads of credentials. To be honest, the safest way to use hotspots is to encrypt everything by using a VPN, but at least HTTPS will give you some warning (invalid certificates) if you do connect to a rogue hotspot without using a VPN.

                I'm not understanding the "vetting" issue with LetsEncrypt - they don't do anything except determine that you have control of the domain. I
    • by Anonymous Coward

      According to the snowden documents, because it used strictly http and avoided https, for a long time three letter agencies manipulated the slashdot.org website when it was viewed by network administrators at large corporations when they were on their break. They planted exploits in the traffic to infiltrate the admin and their network. They were specifically targeting I.T. administrators in that campaign in order to slip exploits into products and services used by Americans and increase spying capability. T

"Everyone is entitled to an *informed* opinion." -- Harlan Ellison

Working...