[Ach] bettercrypto.org certificate has expired today

Aaron Zauner azet at azet.org
Tue Mar 14 06:51:07 CET 2017

* L. Aaron Kaplan <kaplan at cert.at> [08/03/2017 22:19:07] wrote:
> > On 08 Mar 2017, at 14:00, Jeroen Massar <jeroen at massar.ch> wrote:
> > 
> > On 2017-02-25 10:31, Peter J. Holzer wrote:
> > [..]
> >> So it's a good idea to either restart the server immediately
> >> after obtaining a new certificate or have some other cron job which
> >> restarts the server regularly.
> > 
> > Do only do that after doing a 'nginx configtest' or similar, otherwise
> > you end up with a broken system....
> > 
> > Indeed, the moving parts of Lets Encrypt are not so much fun. What if,
> > LE goes down for a few days because somebody DDoSses them to nowhere...
> > lots of unhappy websites there will be.
> > 
> On a related note: Otmar of CERT.at did a recent re-evaluation of the distribution of CAs for
> all certificates on a ".at" domain (web server or mail server).
> And Lets' encrypt was I believe number 3 already!
> So, yes, this is a nice SPoF / single point of attack.

Well. Not really.

Let's Encrypt itself is a distributed highly-available service and
it's fronted by Akamai. So they have *proper* DDoS protection. If
someone manages to DDoS Akamai into oblivion they'll take large
parts of the internet down anyhow. Not saying it's perfect, but I
cannot think of much more a Free CA can do (I doubt that most
commercial ones have this kind of protection for all their critical
services - and I'm sure a lot of government CAs don't).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20170314/d2b64eac/attachment.sig>

More information about the Ach mailing list