[ValdikSS]

As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
By installing attached certificates you'll get rid of "Site Blocked" message on some websites.

[Richard Buckley]

Thank you very the tip, and I'm sure you are well meaning. But it is a very bad security practice to accept any Certificate Authority certificate from an unknown source such as an anonymous poster on a forum site. People should really go to the source. If you want to help, you should describe how they can get the certificate for themselves from the original source.

LeapSTR100-2/10.3.2.2876

[ValdikSS]

Yes, I perfectly understand you and had a thought if I should upload it or give a links.
The problem is that you can't download IdenTrust (which is used by Let's Encrypt) certificate in PEM format on their website (that one that's in the archive had been extracted from browser while accessing helloworld.letsencrypt.org) and WoSign certificates are in PEM format but with .crt extension, which won't be imported by BlackBerry.

WoSign certificates are the same as on the page
wosign dot com/english/root.htm
(can't post links yet)

[gariac]

I'm lost here. Isn't Let's Encrypt for servers?



Posted via CB10

[Richard Buckley]

Yes.

But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.

LeapSTR100-2/10.3.2.2876

[gariac]

Yes.

But just as a passport has security features so that border guards can authenticate them, a client needs some way to authenticate the server certificate. If your device doesn't have the certificate that matches the identity of the organisation that signed the server certificate, it can not authenticate the server.

LeapSTR100-2/10.3.2.2876

Eh, that is like dealing with the military websites without having the DoD root store. For most of the stuff on Let's Encrypt, you can just trust the cert when you first encounter the website, right?

Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.

I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.



Posted via CB10

[Richard Buckley]

Eh, that is like dealing with the military websites without having the DoD root store. For most of the stuff on Let's Encrypt, you can just trust the cert when you first encounter the website, right?

You can, but how do you know that you are accepting the certificate that is actually from the site? The answer is you don't. Just like if you download the certificate from the link in the OP. How do you know if it is legitimate? You don't.

Given that virus peddlers are using Let's Encrypt certs, I'm not so keen to upload their root store.

I run a few websites and have no plans on using Let's Encrypt. I have a self signed cert for email and that is all I need.


Posted via CB10

Indeed, if you make the certificate, then you can validate it. But you would have a more difficult time validating a self signed certificate I made. That is the issue let's encrypt was set up to solve. Unfortunately the EFF has to some degree let their zeal for ubiquitous encryption blind them to the problem that automatically generated certificates would suffer from similar problems to automatically generated email accounts that have all but disappeared.

Using self signed certificates for personal sights and keeping your list of Root CAs small are both wise choices.


LeapSTR100-2/10.3.2.2876

[gariac]

When you have CAs like the Hong Kong Post Office, the whole system is a little shady.

But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.

I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.

Posted via CB10

[Richard Buckley]

When you have CAs like the Hong Kong Post Office, the whole system is a little shady.

But aren't we mixing information assurance and encryption? Even a self signed cert provides encryption. But you don't know for sure who you are talking to.

I set up DKIM for email. That seems like a great way to authenticate yourself. I suppose DNSSEC is the same thing for websites, though I haven't used it.

Posted via CB10

I'm not. The reason I raised the issue is that by downloading the CA certificate from an unauthenticated source breaks site validation.

The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.

DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.

DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.

You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.

LeapSTR100-2/10.3.2.2876

[gariac]

I'm not. The reason I raised the issue is that by downloading the CA certificate from an unauthenticated source breaks site validation.

The point of having a domain validation certificate is two fold, site authenticity and encryption. If you only want encryption you don't even need self signed certificates. The browser generates a random key pair each time it connects to a server. A server could do the same thing, generate a new key pair for each connection. Browsers would complain, but there are ways around that, and they complain about self signed certificates if you don't take appropriate steps. The net result is that having secure encryption to the wrong entity isn't much use.

DNSSEC can ensure you get the right IP address for a domain name, but it can't ensure you are actually connected to that IP address. In situations where DNSSEC is necessary, site authentication is also necessary to prevent a number of attacks. Domain validation is assurance that the service you are talking to is the one associated with the domain name, not a MiM.

DKIM is only to provide assurance that an email message found in the wild is from where it says it is from. It doesn't validate the server you are talking to to get the email.

You are entitled to do what ever you want, but setting up encryption systems is very difficult. The smallest mistake can allow an attacker the completely nullify your work.

LeapSTR100-2/10.3.2.2876

DKIM is on my DNS server, but my mail server also has the key. Sure looks locked to me. I have run my mail server through a number of verification services. Other than DANE, I'm running as much security ad possible, plus I have no port 80 means to access my mail. Trust me, any email with port 80 access is not secure.

I'm really not sure why you repeated what I said about certs, but uh thanks I guess.


Posted via CB10

[albertinik]

Might I ask you where and who would give you a certificate for free.

Do you trust and sleep peacefully at night?

As you may know, there are now two certificate authorities who issue X.509 certificates for free, which many HTTPS websites use. They work in all major browsers and operating systems, but unfortunately not on Blackberry.
By installing attached certificates you'll get rid of "Site Blocked" message on some websites.

Posted via CB10

[Richard Buckley]

Might I ask you where and who would give you a certificate for free.

Do you trust and sleep peacefully at night?






Posted via CB10

https://www.startssl.com/

LeapSTR100-2/10.3.2.2876

[Richard Buckley]

DKIM is on my DNS server, but my mail server also has the key. Sure looks locked to me. I have run my mail server through a number of verification services. Other than DANE, I'm running as much security ad possible, plus I have no port 80 means to access my mail. Trust me, any email with port 80 access is not secure.

I'm really not sure why you repeated what I said about certs, but uh thanks I guess.


Posted via CB10

Well then don't let me stop you, you seem to be an expert.

But remember that this started with you replying:

I'm lost here. Isn't Let's Encrypt for servers?

And you brought up DKIM and the rest. I just don't want people thinking that downloading a CA certificate from an unauthenticated source is a good idea.


Posted via CB10

LeapSTR100-2/10.3.2.2876

[gariac]

Well then don't let me stop you, you seem to be an expert.

But remember that this started with you replying:



LeapSTR100-2/10.3.2.2876

I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

So yeah, I know what I'm doing. Have a nice day.


Posted via CB10

[Richard Buckley]

I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

So yeah, I know what I'm doing. Have a nice day.


Posted via CB10

You seem to be laboring under the impression that I am a fan of let's encrypt, I'm not.

You also seem to be less than impressed by the system, why then do you suggest trusting a certificate from a site provisioned by let's encrypt without even using the CA, since as you suggest that could lead to trusting a certificate from a site that has been "back doored".

LeapSTR100-2/10.3.2.2876

[WiredMatt]

Back to topic: can someone explain how to export the LE CA (e.g. from a common browser), convert, and import into BBQ10?

gesendet von meinem $smartphone mit tapatalk

[polytan02]

I just hope that BlackBerry will do its job and add the let's encrypt certificates with the 10.3.3 update.

There are quite a few sites using them and these are completely rejected by my phone.

Posted via CB10

[Richard Buckley]

You should not have to extract the certificate from a browser. You just need to know which Certificate Authority is signing them. The CA will have a way to get their certificate in all standard formats in a secure way, probably by downloading them from an HTTPS server.

For all the popularity and hype surrounding Let's Encrypt I have yet to come across a site using it so I'm not sure which CA they are using.

LeapSTR100-2/10.3.2.2876

[jd smithers]

Hi,

One of the bigger rollouts is related to wordpress.com; they have started to use Let's Encrypt certificates for the hosted domains (https://en.blog.wordpress.com/2016/0...ess-com-sites/) in an automatic way.

Let's Encrypt's intermediate is currently being cross signed with the one from IdenTrust (CN=DST Root CA X3, O=Digital Signature Trust Co.) until their own will be incorporated into the major trust stores (ms, apple, nss,...). There were some critical acclaims in advance concerning the compliance audit and report but this has been resolved. In addition they submit all issued certificates to CT logs and anyone can take a look at it via https://crt.sh/

Whichever way you look at it, Let's Encrypt does provide certificates in an easy way for people who are either not that familiar with certificate administration or are in need for automated processing or for whatever other reason. Not for nothing they have issued almost 3m certificates since their official launch in April 2016.

Edit: wrong wording. 4.4m overall including beta phase since nov/dec 2015 (https://plot.ly/~letsencrypt/9/daily-activity/)

[jd smithers]

Hi,

Back to topic: can someone explain how to export the LE CA (e.g. from a common browser), convert, and import into BBQ10?

just browse to the linked info page from IdenTrust https://www.identrust.com/certificat...wnload-x3.html ( mentioned on the Let's Encrypt page https://letsencrypt.org/certificates/)

1. Copy the content of the text box into a new textfile
2. Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
3. Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
4. Shoud look like
5. Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
6. Copy over to the mobile phone
7. Open it in the File Manager and click Import on the top right corner
8. Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.

That should cover the necessary steps.

[Richard Buckley]

JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

Edit:

The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.


LeapSTR100-2/10.3.2.2876
Attachment 401754

[jd smithers]

JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

LeapSTR100-2/10.3.2.2876

Thanks for the vote of confidence. It seems I missed the possibility on my device to import it by opening the website. As soon as I open the helloworld page it is being blocked. It's stated that it is not possible to verify against a trusted source; Is there any (other) way to import a certificate or certificate chain on the device itself? Besides that, this dodges - imho - the intrinsic meaning of a PKI where I should be able to trust something/someone trustworthy beforehand as you wrote earlier concerning information (domain) assurance & encryption.

[WiredMatt]

Hi,


just browse to the linked info page from IdenTrust https://www.identrust.com/certificat...wnload-x3.html ( mentioned on the Let's Encrypt page https://letsencrypt.org/certificates/)

1. Copy the content of the text box into a new textfile
2. Insert at the beginning "-----BEGIN CERTIFICATE-----" (without the quotes)
3. Insert at the ending "-----END CERTIFICATE-----" (without the quotes)
4. Shoud look like
5. Save it as identrust-root.pem (or whatever name you like - but with .pem ending)
6. Copy over to the mobile phone
7. Open it in the File Manager and click Import on the top right corner
8. Open Browser on the phone and got to helloworld.letsencrypt.org; should open and provide a lock-icon; you may verify with the site information, that the correct certificate chain is being used.

That should cover the necessary steps.

That's it, thanks! :-)

gesendet von meinem $smartphone mit tapatalk

[Martin Green]

"they have some daemon"... yeah... you really have no idea how Let's Encrypt certificate renewal works, do you? And yet you claim you know what you are doing. For one thing you aren't forced to use their renewal tool at all, feel free to write your own, I did.

Secondly, the automated certificate issuance uses a very secure technique (ACME) to ensure you actually own the site you are requesting a certificate for. The method used would only allow someone else to obtain a cert in your name if your site was already compromised anyway. The ACME protocol is open source and anybody can write a client. If you ACTUALLY knew what you were talking about you would know that.

https://letsencrypt.org/how-it-works/

Finally, Let's Encrypt is EXPLODING in popularity among small, medium, and large sites and services. If it is so dodgy why do the latest versions of ALL popular browsers include ISRG (Let's Encrypt) certificate trust?

So yeah, you only THINK you know what you are doing. Have a nice day.

I know the proper way of doing things. Let's Encrypt is anything but standard. You would have to be an ***** to use it since they have some daemon you need to run to automatically get the cert updated. I call that a back door into my server. I use no 3rd party services. I minimize vectors.

So yeah, I know what I'm doing. Have a nice day.


Posted via CB10

[Martin Green]

Until BlackBerry 10.3.3 rolls out which will have Let's Encrypt trust built in, to get full support of all possible ways a site might be signed with a LE certificate you actually need to import seven certs from Let's Encrypt and one from IdenTrust. You can get away with less for 90% of sites but several of them provide redundancy in case some of the trust chain goes down.

If you are running BlackBerry 10.3 - 10.3.2 you can import all eight certs with just two clicks using my totally free multiCERT app from BlackBerry World. https://appworld.blackberry.com/webs...tent/59999147/

Cheers

JD Smithers did some excellent work there. Most of it should be unnecessary though. Since Let's Encrypt created their own Root and Intermediate certificates, which are available in PEM format, it should be sufficient to download one, or all of them, open with the file manager and install.

The cross signing is only used until the Let's Encrypt certificates are accepted. If you accept them directly, then you are done.

Edit:

The first certificate on the page is the Let's Encrypt Root, also called ISRG. Importing that should be all you need to do.


LeapSTR100-2/10.3.2.2876
Attachment 401754