[Owasp-leaders] [Owasp-community] Let's Encrypt!

Timo Goosen timo.goosen at owasp.org
Wed Oct 7 09:14:08 UTC 2015

I suggest they create a page on their website about security. Then they can
also create a profile on either hackerone or bugcrowd. There are various
charities on both.


On Mon, Oct 5, 2015 at 6:33 AM, Jim Manico <jim.manico at owasp.org> wrote:

> I hope you have all heard of the "Let's Encrypt" project. "Let's Encrypt"
> is a free and automated certificate authority. https://letsencrypt.org/
> The Mozilla foundation, the EFF and others have joined forces to build this
> free service in hopes of making the internet a more secure place.
> "Let's Encrypt" would like the help of the OWASP Community.
> To start with, some assessment of their infrastructure would be a great
> help to the project. There are a few things people could test immediately
> without any special access or permission.
> (The following list came from the "Lets Encrypt" project when asked how we
> could help)
> 1) Boulder application code inspection and local testing. The code is all
> on github and setting up a local environment is relatively easy. This is
> extremely valuable, the more people doing this the better.
> 2) Test against our public endpoints, try to get us to mis-issue or find
> other security flaws. We strongly prefer that people not be disruptive to
> others (e.g. no DDOS). We recommend that people who want to do this focus
> on our public staging system, which is almost an exact copy of the
> production system. Staging is typically just one step ahead of production,
> because it's what will be deployed to production next. If someone finds a
> flaw in staging, such as getting it to mis-issue a cert, we get all the
> benefits without actually having mis-issued a valid cert.
> 3) Our website (letsencrypt.org). It's just an AWS instance feeding
> Akamai. The AWS instance is IP restricted so it'll only talk to Akamai.
> It's not in any way connected to our CA systems. The website is 100% static
> pages. If people want to look at the site and see if they can spot any
> issues that'd be great.
> In all cases we expect people to follow best practices for this kind of
> work (e.g. responsible disclosure, don't harm subscribers). I'm sure OWASP
> folks won't have any issues here, but I feel obligated to write it out
> anyway :)
> Anything testing/auditing that requires access to confidential information
> or our internal systems gets difficult quickly. We'd have to take care of a
> number of legal and compliance issues (NDAs at a bare minimum), and we'd
> have to carve out staff time for cooperation. We have three
> security-related audits scheduled already, so we'd have to schedule
> anything involving special access for some time in Q2 2016 or later.
> It's really easiest if we can organize an OWASP effort that doesn't
> require access to confidential/restricted Let's Encrypt stuff. Fortunately
> doing so should be easy and still very valuable.
> In general the best way for testers to be in touch with the right people
> at Let's Encrypt is via the mailing lists (e.g. ca-dev at letsencrypt.org)
> and our community site (https://community.letsencrypt.org/). We also hang
> out on IRC all the time. And of course, security flaws can/should be
> reported to <security at letsencrypt.org>security at letsencrypt.org.
> ***
> While I am not affiliated with the EFF, Mozilla or the Let's Encrypt
> project, more widespread use of HTTPS is something I feel strongly about.
> Please consider helping if you can! Thank you all for considering.
> Aloha,
> Jim Manico
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151007/07e61d99/attachment.html>

More information about the OWASP-Leaders mailing list