[Owasp-leaders] Let's Encrypt!

Tom Brennan tomb at owasp.org
Tue Oct 13 23:29:04 UTC 2015


+1  it takes communities locally and globally to build bridges on common beliefs, no brainier. Kudos to William Budington & Lee Tien for making the time to meet and collaborate at AppSecUSA 2015


> On Oct 5, 2015, at 6:33 AM, Jim Manico <jim.manico at owasp.org> wrote:
> 
> I hope you have all heard of the "Let's Encrypt" project. "Let's Encrypt" is a free and automated certificate authority. https://letsencrypt.org/ The Mozilla foundation, the EFF and others have joined forces to build this free service in hopes of making the internet a more secure place. 
> 
> "Let's Encrypt" would like the help of the OWASP Community.
> 
> To start with, some assessment of their infrastructure would be a great help to the project. There are a few things people could test immediately without any special access or permission.
> 
> (The following list came from the "Lets Encrypt" project when asked how we could help)
> 
> 1) Boulder application code inspection and local testing. The code is all on github and setting up a local environment is relatively easy. This is extremely valuable, the more people doing this the better.
> 
> 2) Test against our public endpoints, try to get us to mis-issue or find other security flaws. We strongly prefer that people not be disruptive to others (e.g. no DDOS). We recommend that people who want to do this focus on our public staging system, which is almost an exact copy of the production system. Staging is typically just one step ahead of production, because it's what will be deployed to production next. If someone finds a flaw in staging, such as getting it to mis-issue a cert, we get all the benefits without actually having mis-issued a valid cert.
> 
> 3) Our website (letsencrypt.org). It's just an AWS instance feeding Akamai. The AWS instance is IP restricted so it'll only talk to Akamai. It's not in any way connected to our CA systems. The website is 100% static pages. If people want to look at the site and see if they can spot any issues that'd be great.
> 
> In all cases we expect people to follow best practices for this kind of work (e.g. responsible disclosure, don't harm subscribers). I'm sure OWASP folks won't have any issues here, but I feel obligated to write it out anyway :)
> 
> Anything testing/auditing that requires access to confidential information or our internal systems gets difficult quickly. We'd have to take care of a number of legal and compliance issues (NDAs at a bare minimum), and we'd have to carve out staff time for cooperation. We have three security-related audits scheduled already, so we'd have to schedule anything involving special access for some time in Q2 2016 or later.
> 
> It's really easiest if we can organize an OWASP effort that doesn't require access to confidential/restricted Let's Encrypt stuff. Fortunately doing so should be easy and still very valuable.
> 
> In general the best way for testers to be in touch with the right people at Let's Encrypt is via the mailing lists (e.g. ca-dev at letsencrypt.org) and our community site (https://community.letsencrypt.org/). We also hang out on IRC all the time. And of course, security flaws can/should be reported to security at letsencrypt.org.
> 
> ***
> 
> While I am not affiliated with the EFF, Mozilla or the Let's Encrypt project, more widespread use of HTTPS is something I feel strongly about. Please consider helping if you can! Thank you all for considering.
> 
> Aloha,
> Jim Manico
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151014/9382a868/attachment.html>


More information about the OWASP-Leaders mailing list