Re: LetsEncrypt certificate is not recognized by Chrome Android 6.0.1/5.0.2

From: Anders Henke <anders.henke@xxxxxxxx>
To: client-dev@xxxxxxxxxxxxxxx
Date: Tue, 17 May 2016 17:45:58 +0200
Why ads?
Manually adding a root certificate actually is a very trivial thing:
Let's Encrypt could provide a simple download link and ask the user to
click on it. In many environments, it's shockingly easier to import a
root certificate than to skip/accept the warnings of a self-signed
certificate.

Why is it that shocking: a root certificate is another "ultimate" trust
anchor into your computer. The root certificate then can be used to
impersonate any website or tell your operating system "it's fine to run
that executable, skip any warnings".

x509 by design doesn't know about "decentralization": while a
subordinate CA may be restricted (if every software plays fine and
adheres those restrictions), a root certificate has no restrictions at all.


It's short of giving some stranger a master key to your (digital) house:
before you're doing so, you'd really like to know that "stranger" well.
Hence browser and operating system vendors do use various processes to
verify if the operators of a new root certificate really do "know what
they're doing" and  are trustworthy.

If "adding a root certificate" becomes an "usual task" (like "click away
that cookie information"), lay people will be happy to add root
certificates. It's just a few clicks ... then, the root certificate will
be able to impersonate about any website's certificate.

I do consider it a very bad idea to make "adding root certificates" an
everyday task.
While it's legitimate for Let's Encrypt's root certificate, in the very
next second some phishing spam might ask users to add "their" root
certificate as well. And a secondary spam run will be able to use
"perfect" impersonations of e.g. banking websites, webmail services,
whatever you're asking. The browser's address bar will show the
"correct" address, it will display the secure lock icon, about anything
we're teaching users to take care of.

The only available technique to save users from malicious CAs today were
HTTP Public Key Pinning.
As Netcraft recently discussed (
http://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html
), only a few thousand websites are actually deploying that technique
right now. A third out of them uses it incorrectly, which effectively
disables it for them.

In such a world, educating users how to add random root certificates is
a very bad idea.



Best,
Anders

On 05/15/2016 08:08 PM, Timothy Holborn wrote:
how about making a little promo video / campaign explaining for lay
people what it is and how to install. perhaps also browser extension
that could help if for some reason  (ie: s/w update) the install needs
to occur again.

Might also be useful for decentralization generally, but would want to
have some means to manage trust with any such tools broadly.

TimH..

On Mon, 16 May 2016 4:05 AM Vladimir Djukelic <vladimir@xxxxxxxxxxxx
<mailto:vladimir@xxxxxxxxxxxx>> wrote:

    DOES NOT work on Safari Version 9.1 (11601.5.17.1) on Mac OS X El
    Capitan 10.11.4 (15E65)
    Screenshot: https://www.dropbox.com/s/wc5jpa7zmgmmpe0/Screenshot%202016-05-15%2019.52.23.png?dl=0

    DOES WORK on Chrome Version 50.0.2661.102 (64-bit) on Mac OS X El
    Capitan 10.11.4 (15E65)
    Screenshot:
    https://www.dropbox.com/s/joauiu8tze6jcw3/Screenshot%202016-05-15%2019.55.21.png?dl=0
    About Chrome
    Screenshot: https://www.dropbox.com/s/trzrqgaqdd0jo26/Screenshot%202016-05-15%2019.58.55.png?dl=0



    On Sun, May 15, 2016 at 7:42 PM Michel Kuijpers
    <michel@xxxxxxxxxxxx <mailto:michel@xxxxxxxxxxxx>> wrote:

        also doesn’t work on my MacBook Pro (10.11.4 (15E65)) in
        Safari (Version 9.1 (11601.5.17.1)) but it works in Chrome
        (Version 50.0.2661.102 (64-bit))

        Groeten en een fijne dag,
        Michel
        -=-=-=-=-=-=-=-

        Met vriendelijke groet,
        Michel Kuijpers
        -------------------------------------
        Du-llens Fotografie en Websolutions
        URL: http://www.du-llens.net
        Email: michel@xxxxxxxxxxxx <mailto:michel@xxxxxxxxxxxx>
        Mobiel: 06-23977966
        -------------------------------------

        On 15 May 2016, at 18:22, Jeroen de Neef <jeroen52@xxxxxxxxx
        <mailto:jeroen52@xxxxxxxxx>> wrote:

        It doesn't work for me on Windows 7, Google Chrome
        version 50.0.2661.102 m.

        2016-05-15 17:44 GMT+02:00 Daniel Reynolds
        <daniel7reynolds@xxxxxxxxx <mailto:daniel7reynolds@xxxxxxxxx>>:

            It works on Chrome for iOS for me.


            On Sun, May 15, 2016 at 8:17 AM, Timothy Holborn
            <timothy.holborn@xxxxxxxxx
            <mailto:timothy.holborn@xxxxxxxxx>> wrote:

                doesn't work on my android device.


                On Sun, 15 May 2016 8:58 PM Melvin Carvalho
                <melvincarvalho@xxxxxxxxx
                <mailto:melvincarvalho@xxxxxxxxx>> wrote:

                    On 15 May 2016 at 07:24, 蔡崴丞
                    <danny8376@xxxxxxxxx
                    <mailto:danny8376@xxxxxxxxx>> wrote:

                        It's using X1 signed by ISRG Root,which isn't
                        included in most browser.

                    Works for me on chrome, firefox, opera (desktop)


                        Kaiduan Xie <kaiduanx@xxxxxxxxx
                        <mailto:kaiduanx@xxxxxxxxx>> 於 2016年5月15日
                        週日 下午1:07 寫道:

                            Josh,

                            I suddenly found that
                            https://helloworld.letsencrypt.org was
                            determined by not private on Chrome on
                            Android 6.0.1/5.0.2 today. This is a very
                            big nasty surprise :(

                            What has changed on Android side?

                            Thanks for help,

                            /Kaiduan

                            -- 
                            You received this message because you are
                            subscribed to the Google Groups "Let's
                            Encrypt Client Development" group.
                            To unsubscribe from this group and stop
                            receiving emails from it, send an email
                            to client-dev+unsubscribe@xxxxxxxxxxxxxxx
                            <mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
                            To post to this group, send email to
                            client-dev@xxxxxxxxxxxxxxx
                            <mailto:client-dev@xxxxxxxxxxxxxxx>.
                            To view this discussion on the web visit
                            https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQeS3MPr_p8EASsJ_LaQgQ6bx4td5f8DjjW_qHVYkpqFng%40mail.gmail.com
                            <https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CACKRbQeS3MPr_p8EASsJ_LaQgQ6bx4td5f8DjjW_qHVYkpqFng%40mail.gmail.com?utm_medium=email&utm_source=footer>.


                        -- 
                        You received this message because you are
                        subscribed to the Google Groups "Let's
                        Encrypt CA Development" group.
                        To unsubscribe from this group and stop
                        receiving emails from it, send an email to
                        ca-dev+unsubscribe@xxxxxxxxxxxxxxx
                        <mailto:ca-dev+unsubscribe@xxxxxxxxxxxxxxx>.


                    -- 
                    You received this message because you are
                    subscribed to the Google Groups "Let's Encrypt CA
                    Development" group.
                    To unsubscribe from this group and stop receiving
                    emails from it, send an email to
                    ca-dev+unsubscribe@xxxxxxxxxxxxxxx
                    <mailto:ca-dev+unsubscribe@xxxxxxxxxxxxxxx>.


                -- 
                You received this message because you are subscribed
                to the Google Groups "Let's Encrypt Client
                Development" group.
                To unsubscribe from this group and stop receiving
                emails from it, send an email to
                client-dev+unsubscribe@xxxxxxxxxxxxxxx
                <mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
                To post to this group, send email to
                client-dev@xxxxxxxxxxxxxxx
                <mailto:client-dev@xxxxxxxxxxxxxxx>.
                To view this discussion on the web visit
                https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok2L8vEe0ZfnkOy8f6u2d-9V1vGwQErVu5PZAJXYV0UyjQ%40mail.gmail.com
                <https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok2L8vEe0ZfnkOy8f6u2d-9V1vGwQErVu5PZAJXYV0UyjQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.


            -- 
            You received this message because you are subscribed to
            the Google Groups "Let's Encrypt Client Development" group.
            To unsubscribe from this group and stop receiving emails
            from it, send an email to
            client-dev+unsubscribe@xxxxxxxxxxxxxxx
            <mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
            To post to this group, send email to
            client-dev@xxxxxxxxxxxxxxx
            <mailto:client-dev@xxxxxxxxxxxxxxx>.
            To view this discussion on the web visit
            https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/1463327087957-469b8133-11e51891-52c8c840%40gmail.com
            <https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/1463327087957-469b8133-11e51891-52c8c840%40gmail.com?utm_medium=email&utm_source=footer>.



        -- 
        You received this message because you are subscribed to the
        Google Groups "Let's Encrypt Client Development" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx
        <mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
        To post to this group, send email to
        client-dev@xxxxxxxxxxxxxxx <mailto:client-dev@xxxxxxxxxxxxxxx>.
        To view this discussion on the web visit
        https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CALXQekuEUvxa%3DaKezWEAMtcNVkEEV-Y-AQmdoCSooy3fJaQt3Q%40mail.gmail.com
        <https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CALXQekuEUvxa%3DaKezWEAMtcNVkEEV-Y-AQmdoCSooy3fJaQt3Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.

        -- 
        You received this message because you are subscribed to the
        Google Groups "Let's Encrypt Client Development" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx
        <mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
        To post to this group, send email to
        client-dev@xxxxxxxxxxxxxxx <mailto:client-dev@xxxxxxxxxxxxxxx>.

        To view this discussion on the web visit
        https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/BA4220B3-A864-4797-98D8-F3B574E8085C%40du-llens.net
        <https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/BA4220B3-A864-4797-98D8-F3B574E8085C%40du-llens.net?utm_medium=email&utm_source=footer>.

-- 
You received this message because you are subscribed to the Google
Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx
<mailto:client-dev+unsubscribe@xxxxxxxxxxxxxxx>.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx
<mailto:client-dev@xxxxxxxxxxxxxxx>.
To view this discussion on the web visit
https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok3iycGb%3Drsv7i2nr3BGiQfjuBnewba%3DHLW5stAiPj%3D-gw%40mail.gmail.com
<https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/CAM1Sok3iycGb%3Drsv7i2nr3BGiQfjuBnewba%3DHLW5stAiPj%3D-gw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to client-dev+unsubscribe@xxxxxxxxxxxxxxx.
To post to this group, send email to client-dev@xxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/573B3CB6.4060400%401und1.de.
Why ads?