[Owasp-leaders] [Owasp-community] Let's Encrypt!

Dinis Cruz dinis.cruz at owasp.org
Tue Oct 6 16:15:31 UTC 2015


This is a really good idea and defenitly something we as a community should
help out (and learn from each other)

So ... which Slack channel should we use to talk about current efforts and
activities? (related to Let's Encrypt)
On 6 Oct 2015 12:51 pm, "Jim Manico" <jim.manico at owasp.org> wrote:

> I hope you have all heard of the "Let's Encrypt" project. "Let's Encrypt"
> is a free and automated certificate authority. https://letsencrypt.org/
> The Mozilla foundation, the EFF and others have joined forces to build this
> free service in hopes of making the internet a more secure place.
>
> "Let's Encrypt" would like the help of the OWASP Community.
>
> To start with, some assessment of their infrastructure would be a great
> help to the project. There are a few things people could test immediately
> without any special access or permission.
>
> (The following list came from the "Lets Encrypt" project when asked how we
> could help)
>
> 1) Boulder application code inspection and local testing. The code is all
> on github and setting up a local environment is relatively easy. This is
> extremely valuable, the more people doing this the better.
>
> 2) Test against our public endpoints, try to get us to mis-issue or find
> other security flaws. We strongly prefer that people not be disruptive to
> others (e.g. no DDOS). We recommend that people who want to do this focus
> on our public staging system, which is almost an exact copy of the
> production system. Staging is typically just one step ahead of production,
> because it's what will be deployed to production next. If someone finds a
> flaw in staging, such as getting it to mis-issue a cert, we get all the
> benefits without actually having mis-issued a valid cert.
>
> 3) Our website (letsencrypt.org). It's just an AWS instance feeding
> Akamai. The AWS instance is IP restricted so it'll only talk to Akamai.
> It's not in any way connected to our CA systems. The website is 100% static
> pages. If people want to look at the site and see if they can spot any
> issues that'd be great.
>
> In all cases we expect people to follow best practices for this kind of
> work (e.g. responsible disclosure, don't harm subscribers). I'm sure OWASP
> folks won't have any issues here, but I feel obligated to write it out
> anyway :)
>
> Anything testing/auditing that requires access to confidential information
> or our internal systems gets difficult quickly. We'd have to take care of a
> number of legal and compliance issues (NDAs at a bare minimum), and we'd
> have to carve out staff time for cooperation. We have three
> security-related audits scheduled already, so we'd have to schedule
> anything involving special access for some time in Q2 2016 or later.
>
> It's really easiest if we can organize an OWASP effort that doesn't
> require access to confidential/restricted Let's Encrypt stuff. Fortunately
> doing so should be easy and still very valuable.
>
> In general the best way for testers to be in touch with the right people
> at Let's Encrypt is via the mailing lists (e.g. ca-dev at letsencrypt.org)
> and our community site (https://community.letsencrypt.org/). We also hang
> out on IRC all the time. And of course, security flaws can/should be
> reported to security at letsencrypt.org.
>
> ***
>
> While I am not affiliated with the EFF, Mozilla or the Let's Encrypt
> project, more widespread use of HTTPS is something I feel strongly about.
> Please consider helping if you can! Thank you all for considering.
>
> Aloha,
> Jim Manico
>
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151006/65d6d2ad/attachment.html>


More information about the OWASP-Leaders mailing list