[Owasp-leaders] Let's Encrypt!

Jim Manico jim.manico at owasp.org
Mon Oct 5 04:33:40 UTC 2015


I hope you have all heard of the "Let's Encrypt" project. "Let's 
Encrypt" is a free and automated certificate authority. 
https://letsencrypt.org/ The Mozilla foundation, the EFF and others have 
joined forces to build this free service in hopes of making the internet 
a more secure place.

"Let's Encrypt" would like the help of the OWASP Community.

To start with, some assessment of their infrastructure would be a great 
help to the project. There are a few things people could test 
immediately without any special access or permission.

(The following list came from the "Lets Encrypt" project when asked how 
we could help)

1) Boulder application code inspection and local testing. The code is 
all on github and setting up a local environment is relatively easy. 
This is extremely valuable, the more people doing this the better.

2) Test against our public endpoints, try to get us to mis-issue or find 
other security flaws. We strongly prefer that people not be disruptive 
to others (e.g. no DDOS). We recommend that people who want to do this 
focus on our public staging system, which is almost an exact copy of the 
production system. Staging is typically just one step ahead of 
production, because it's what will be deployed to production next. If 
someone finds a flaw in staging, such as getting it to mis-issue a cert, 
we get all the benefits without actually having mis-issued a valid cert.

3) Our website (letsencrypt.org <http://letsencrypt.org>). It's just an 
AWS instance feeding Akamai. The AWS instance is IP restricted so it'll 
only talk to Akamai. It's not in any way connected to our CA systems. 
The website is 100% static pages. If people want to look at the site and 
see if they can spot any issues that'd be great.

In all cases we expect people to follow best practices for this kind of 
work (e.g. responsible disclosure, don't harm subscribers). I'm sure 
OWASP folks won't have any issues here, but I feel obligated to write it 
out anyway :)

Anything testing/auditing that requires access to confidential 
information or our internal systems gets difficult quickly. We'd have to 
take care of a number of legal and compliance issues (NDAs at a bare 
minimum), and we'd have to carve out staff time for cooperation. We have 
three security-related audits scheduled already, so we'd have to 
schedule anything involving special access for some time in Q2 2016 or 
later.

It's really easiest if we can organize an OWASP effort that doesn't 
require access to confidential/restricted Let's Encrypt stuff. 
Fortunately doing so should be easy and still very valuable.

In general the best way for testers to be in touch with the right people 
at Let's Encrypt is via the mailing lists (e.g. ca-dev at letsencrypt.org 
<mailto:ca-dev at letsencrypt.org>) and our community site 
(https://community.letsencrypt.org/). We also hang out on IRC all the 
time. And of course, security flaws can/should be reported to 
security at letsencrypt.org <mailto:security at letsencrypt.org>.

***

While I am not affiliated with the EFF, Mozilla or the Let's Encrypt 
project, more widespread use of HTTPS is something I feel strongly 
about. Please consider helping if you can! Thank you all for considering.

Aloha,
Jim Manico


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151004/e3e6e249/attachment.html>


More information about the OWASP-Leaders mailing list