michael orlitzky

Let's not Encrypt

Let's Discuss the organization providing a false sense of security at an unbeatable price.

Update 2019-05-10: Mozilla, a Let's Encrypt Platinum Sponsor, experiences some minor embarrassment this week as every Firefox install in existence commits suicide. The cause? An expired certificate. (Maybe they should use Let's Encrypt?) This quote is gold:

First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don’t find ourselves in a situation where one goes off unexpectedly.

Eric Rescorla, CTO of the Firefox team at Mozilla

My medical opinion: if it hurts, maybe you should stop doing it.

Background

Google is running a thinly-veiled protection racket, marking normal safe websites as “not secure.” Unless, of course, you pay them. You can make the warning go away by paying a third-party—who then pays Google—to sign your website's SSL certificate. Some otherwise-smart people are convinced that this is fine, because the Let's Encrypt project is signing those certificates for free at the moment. It's a scam.

Let's See

The certificates provide no security

The way you verify your identity to Let's Encrypt is the same as with other certificate authorities: you don't really. You place a file somewhere on your website, and they access that file over plain HTTP to verify that you own the website. The one attack that signed certificates are meant to prevent is a man-in-the-middle attack. But if someone is able to perform a man-in-the-middle attack against your website, then he can intercept the certificate verification, too. In other words, Let's Encrypt certificates don't stop the one thing they're supposed to stop.

And, as always with the certificate authorities, a thousand murderous theocracies, advertising companies, and international spy organizations are allowed to impersonate you by design.

Automatic renewal is insecure

The official way to renew Let's Encrypt certificates is automatically, with a tool called certbot. It downloads a bunch of untrusted data from the web, and then feeds that data into your web server, all as root. If that sounds dumb, then good for you, because it is.

All web servers treat certificate data as trusted: they expect it to have been verified as safe and correct by the system administrator. No sanity checks are performed, and if the contents of your certificate are malicious or erroneous, then you're going to have a bad time. For example, a single incorrect byte in one certificate will take down your entire Apache web server. This isn't something that anyone is going to fix, because only in the darkest timeline would certificates be obtained automatically from strangers on the internet and fed directly into the web server as root. The best thing that can happen if certbot fails is that only one of your websites will crash.

Since certbot obtains certificates automatically from strangers on the internet and feeds them into your web server as root, and given that the extra security afforded by those certificates is negligible, we have a cure that is worse than the disease. Let's Encrypt introduces real risks to solve imaginary problems.

“But you don't have to use certbot,” say the people who haven't thought very hard about it. And they're right: you always have options. You can renew certificates manually, but

Manual renewal isn't free

Renewing a certificate manually takes about fifteen minutes. Before Google hijacked the standards process, certificates could be valid for five to ten years. And in the past, only a select few websites actually needed certificates. Under those circumstances, fifteen minutes to renew was annoying, yet tolerable.

Let's Encrypt certificates are valid for only three months. And, thanks to Google, we're talking about installing one on every website. If you have a hundred websites, then on average that's four hundred renewals a year—more than one every day. Every single day. For the rest of your life. Want to go on vacation? Get drunk on Saturday morning and watch cartoons? Get married? You can't, you have certificates to renew that day.

Manual renewal is only free if your time is worthless. And the commitment is truly forever, because

HTTPS is a trap

Once you've moved your websites to HTTPS, there's no going back to plain HTTP. All of the search engines that people use to find your site will list only the HTTPS address, and not the plain-HTTP address.

Normally, when a site changes URLs, you can use a redirect to send visitors to the new address. But, if the old address is HTTPS, that doesn't work: the old address will display a misleading security warning instead of redirecting. So, you can never undo the decision to serve your site over HTTPS. This is important, because it means that you need the “free” certificates to be available forever; but,

Let's Encrypt is founded on the benevolence of scoundrels

Let's Encrypt isn't free to run, either. Their 2019 operating budget is 3.6 million U.S. dollars. Most of that is donated by… guess who? Your competitors.

It's bad business to marry yourself to a product or technology that you don't control, and downright quixotic if that technology is owned by your competitors. Let's Encrypt is not your friend; legally speaking, you have no business relationship with them, and they have no obligation to provide you with certificates now or in the future. Knowing that HTTPS is a trap, you should ask yourself: what happens if Let's Encrypt goes away? Do you have a hundred broken websites on your hands? Will you have to pay thousands of dollars every year for the rest of your life to make them work again? The automatic renewal process has already been broken once on purpose.

Or more cynically, what if Google decides to make some money by dropping Let's Encrypt from the list of certificate authorities in Chrome? Same answer? Maybe Let's Encrypt will be around forever, but it's negligent to gamble on that.

It's bad engineering

When you install a certificate with a three-month expiration date, you're saying “I want my website to break in three months unless I show up and tell it not to.” It's a bomb that needs to be disarmed repeatedly, lest it explode. A real engineer wouldn't install a bomb on a bridge, and you shouldn't install one on your website.

Sadly, our profession is one that has no legal, professional, educational, or moral requirements. But, if by some accident you happen to be good at your job, then your instincts should already be telling you that the time-bomb design principle is shitty engineering. Yes, the system is being forced on you by a bunch of assholes. But you still look like an idiot for playing along. If you have any self respect, that should bother you.

It supplants better solutions

So we're spending $3,600,000 every year on certificates that aren't any better than self-signed, and we're asking people to weaken the security on their web servers, and wasting time creating a fragile automated renewal system, completely at the mercy of a third-party whose financial interests are opposed to ours, all to wind up right back where we started with no security and no browser warnings. But that's not the worst part.

The worst part is that Let's Encrypt is preventing us from building a real solution to the problem. The entire certificate authority system is a for-profit scam. It imparts no security whatsoever. But Google gets its money, so it's happy. That means Chrome is happy, and shows no warnings, so the end user is happy too. That makes the website owner happy, and everyone is happy happy happy. But everything is still quite fundamentally fucked. Before Let's Encrypt, people were at least thinking about the problem, motivated by the monetary costs. But now that Let's Encrypt is giving us all pretend security for free, those people have moved on. There is basically no one interesting in bringing a minimal amount of security to the world wide web these days.

what to do about it

Not this time. The technical problems are easy to solve. For decades, users of SSH have had a system (save the certificate permanently the first time you connect, and warn if it ever changes) that is optimal in a sense: it works at least as well as any other solution. It's trivial to implement, is completely free, involves no third parties, and lasts forever. To the surprise of absolutely no one, web browsers don't support it.

The main non-technical problem is the vestigial ‘s’ in “web browsers.” No, not that one—the one on the end. Google's abuse recently forced Microsoft to abandon Internet Explorer in favor of Chrome. Firefox has no market share, largely due to Mozilla's own incompetence, but also thanks in part to sabotage by Google. In any case, Google now controls the one user interface that everyone on the planet uses to access the web. And Google is the main beneficiary of the certificate authority system. They're one of the main sponsors of Let's Encrypt, precisely because Let's Encrypt discourages us from replacing the broken certificate authority system. Let's Encrypt makes their subterfuge socially acceptable and practically palatable.

Google also owns HTML and HTTP, and that's just about everything that makes up “the web.” So long as they do, this battle is lost. No one's going to give up the one free way to make their websites work in Chrome. The law can't help. Your mom can't help, I asked her. Give up and go outside, it's nice out. Seriously, things are only going to get worse.