[Owasp-cape-town] Fwd: [Owasp-leaders] Let's Encrypt!

Christo christo.goosen at owasp.org
Tue Oct 6 12:17:15 UTC 2015


This is from the OWASP Leaders list. Great project to support.


-------- Forwarded Message --------
Subject: 	[Owasp-leaders] Let's Encrypt!
Date: 	Sun, 4 Oct 2015 23:33:40 -0500
From: 	Jim Manico <jim.manico at owasp.org>
To: 	owasp-leaders at lists.owasp.org <owasp-leaders at lists.owasp.org>,
owasp-community at lists.owasp.org <owasp-community at lists.owasp.org>

I hope you have all heard of the "Let's Encrypt" project. "Let's
Encrypt" is a free and automated certificate authority.
https://letsencrypt.org/ The Mozilla foundation, the EFF and others have
joined forces to build this free service in hopes of making the internet
a more secure place.

"Let's Encrypt" would like the help of the OWASP Community.

To start with, some assessment of their infrastructure would be a great
help to the project. There are a few things people could test
immediately without any special access or permission.

(The following list came from the "Lets Encrypt" project when asked how
we could help)

1) Boulder application code inspection and local testing. The code is
all on github and setting up a local environment is relatively easy.
This is extremely valuable, the more people doing this the better.

2) Test against our public endpoints, try to get us to mis-issue or find
other security flaws. We strongly prefer that people not be disruptive
to others (e.g. no DDOS). We recommend that people who want to do this
focus on our public staging system, which is almost an exact copy of the
production system. Staging is typically just one step ahead of
production, because it's what will be deployed to production next. If
someone finds a flaw in staging, such as getting it to mis-issue a cert,
we get all the benefits without actually having mis-issued a valid cert.

3) Our website (letsencrypt.org <http://letsencrypt.org>). It's just an
AWS instance feeding Akamai. The AWS instance is IP restricted so it'll
only talk to Akamai. It's not in any way connected to our CA systems.
The website is 100% static pages. If people want to look at the site and
see if they can spot any issues that'd be great.

In all cases we expect people to follow best practices for this kind of
work (e.g. responsible disclosure, don't harm subscribers). I'm sure
OWASP folks won't have any issues here, but I feel obligated to write it
out anyway :)

Anything testing/auditing that requires access to confidential
information or our internal systems gets difficult quickly. We'd have to
take care of a number of legal and compliance issues (NDAs at a bare
minimum), and we'd have to carve out staff time for cooperation. We have
three security-related audits scheduled already, so we'd have to
schedule anything involving special access for some time in Q2 2016 or

It's really easiest if we can organize an OWASP effort that doesn't
require access to confidential/restricted Let's Encrypt stuff.
Fortunately doing so should be easy and still very valuable.

In general the best way for testers to be in touch with the right people
at Let's Encrypt is via the mailing lists (e.g. ca-dev at letsencrypt.org
<mailto:ca-dev at letsencrypt.org>) and our community site
(https://community.letsencrypt.org/). We also hang out on IRC all the
time. And of course, security flaws can/should be reported to
security at letsencrypt.org.


While I am not affiliated with the EFF, Mozilla or the Let's Encrypt
project, more widespread use of HTTPS is something I feel strongly
about. Please consider helping if you can! Thank you all for considering.

Jim Manico

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cape-town/attachments/20151006/a83defb1/attachment.html>
-------------- next part --------------
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the Owasp-cape-town mailing list