文章摘要
文章批评Let's Encrypt提供的证书存在安全隐患,列举了多起因证书问题导致的服务中断事件,包括微软Teams宕机、Firefox插件失效等,暗示其虽免费但可靠性不足。作者虽最终使用其证书,但仍持保留态度。
文章总结
标题:迈克尔·奥利茨基《让我们不要加密》
文章概要:
本文批判性地分析了Let's Encrypt免费SSL证书服务的潜在问题,认为其虽然提供了看似便捷的加密解决方案,但实际上存在安全漏洞、工程缺陷和系统性风险。作者从技术、经济和社会层面展开论述,指出该服务可能带来虚假的安全感,并阻碍更优解决方案的发展。
核心论点:
安全性的虚假承诺
- 证书验证机制存在根本缺陷:通过HTTP验证域名所有权的方式无法防范中间人攻击
- 传统CA系统的结构性风险依然存在:数千家认证机构(包括某些问题政权和商业公司)仍可伪造证书
自动续期的安全隐患
- Certbot工具以root权限自动处理未经验证的网络数据
- 证书数据被Web服务器无条件信任,单个错误字节即可导致服务崩溃
- 作者比喻此为"在桥梁上安装需要定期拆除的炸弹"
经济成本与时间陷阱
- 三个月有效期导致高频维护(100个网站需每年处理400次续期)
- HTTPS转换不可逆:搜索引擎会永久锁定加密链接
- 实际将用户绑定在由竞争对手资助的服务上(2019年预算360万美元主要来自科技巨头赞助)
系统性危害
- 延缓更优解决方案的发展(如SSH式的持久化证书方案)
- 强化了谷歌对网络标准的控制(Chromium内核浏览器市占率超90%)
- 使CA系统的根本缺陷被表面便利所掩盖
典型例证:
- 2023年Let's Encrypt证书被用于中间人攻击Hetzner和Linode服务器
- 2020年微软因证书过期导致Teams服务中断7小时
- 2019年Mozilla(Let's Encrypt白金赞助商)因证书过期导致Firefox插件系统崩溃
作者建议:
虽然技术层面存在类似SSH的替代方案,但由于谷歌已实际控制HTML/HTTP标准及浏览器市场,普通用户难以改变现状。文章最终以黑色幽默作结,建议读者"放弃挣扎去享受户外阳光"。
最后更新:
2023-11-05(作者承认自己也开始使用LE证书但拒绝讨论原因)
评论总结
评论内容总结
1. 对HTTPS和Let's Encrypt的质疑
观点:部分用户认为HTTPS并非在所有情况下都必要,尤其是对于不涉及敏感信息的网站(如个人博客)。
- 引用:"Why does everything have to be https? Like, if I am writing a basic blog, with no forms, no CC payments, doesn’t capture anything sensitive, why do I need an SSL certificate to appear as a valid site?" (hk1337)
- 引用:"Super informative, always seemed like http is fine unless you are doing something security critical. But even blogs use https." (ozgrakkurt)
论据:HTTPS的加密功能可以通过自签名证书实现,而CA的认证功能在实际中效果有限。
- 引用:"A self signed certificate is just as secure as one issued by a certificate authority on the matter of encryption." (noirscape)
- 引用:"Any scammer learned years ago how to get certificates for their scam domains." (jillesvangurp)
2. 支持HTTPS和Let's Encrypt
观点:HTTPS提供了加密、防篡改和站点认证三重保护,即使对非敏感网站也很重要。
- 引用:"HTTPS does three interrelated things: Encryption, Tamper Proofing, Site Authentication." (AndrewStephens)
- 引用:"HTTPS provides some protection there because it at least hides the paths to the specific pages you are reading as you surf online." (eduction)
论据:Let's Encrypt降低了HTTPS的部署门槛,推动了全网加密。
- 引用:"Let’s Encrypt does an incredible amount of good by adding SSL to sites that wouldn’t have had it otherwise." (sigmar)
- 引用:"Let’s Encrypt has always been a saving grace in my eyes: When it first entered the scene, it solved a problem we all loathed dealing with." (lanyard-textile)
3. 对Let's Encrypt技术细节的讨论
观点:ACME自动续期虽然频繁,但减少了证书过期的风险。
- 引用:"ACME renewal feels less like a time bomb than traditional renewal, even though it happens more often." (jchw)
- 引用:"Funny how we’re all securing our websites with time bombs that need defusing every 90 days." (polaris421)
论据:短有效期证书有助于快速发现和修复问题。
- 引用:"By having ACME renewel happen very often, it should become apparent very quickly when they’re not working." (jchw)
4. 对CA系统和替代方案的探讨
观点:CA系统的认证功能在实际中效果有限,TOFU(Trust On First Use)方案可能更实用。
- 引用:"Since identification is utterly dead, the entire CA structure feels like it gives little security to a modern browser as opposed to just going with a TOFU scheme like we do for SSH." (noirscape)
- 引用:"TOFU schemes aren’t acceptable for the public web because the average user isn’t equipped to compare certificate fingerprints." (woodruffw)
论据:DNSSEC和DANE可能是更好的替代方案。
- 引用:"if we rely on DNSSEC we can just use DANE/TLSA and don’t need the mess of CA/PKI." (jesprenj)
5. 对Let's Encrypt的批评与辩护
观点:Let's Encrypt的证书续期过程可能存在安全风险。
- 引用:"The official way to renew Let’s Encrypt certificates is automatically, with a tool called certbot. It downloads a bunch of untrusted data from the web, and then feeds that data into your web server, all as root." (1718627440)
- 引用:"Why would you run certbot as root? You don’t do that with any other server." (1718627440)
论据:Let's Encrypt的设计考虑了实际安全需求,如防止ISP注入广告。
- 引用:"I think that if we didn’t do TLS, every ISP would be injecting ads into websites these days." (jrockway)
总结
评论中既有对HTTPS和Let's Encrypt的质疑,认为其并非在所有场景下都必要或完美,也有对其价值和实际效果的肯定。支持者强调HTTPS的全网加密和防篡改 benefits,而批评者则指出CA系统的局限性以及短有效期证书带来的管理负担。此外,还探讨了TOFU、DNSSEC等替代方案的可行性。整体上,Let's Encrypt被认为是一个推动全网加密的重要工具,尽管存在一些技术和管理上的争议。