
OVH automatically migrates expiring paid SSL to Let's Encrypt certificates - dethi
https://twitter.com/olesovhcom/status/797856360926953472
======
cranium
On first sight, with only my knowledge in hand, I do think it is a good idea.

I'm also really interested in knowing if there are issues that could arise or
people that annoyed by this kind of automatic conversion and why. What are
your thoughts ?

~~~
ivraatiems
There are potential security concerns. Suppose Let's Encrypt has a
vulnerability other certs don't, or their chain is compromised somehow, this
could put people at risk without them knowing it.

It could also complicate matters when renewing certs. If I forget to renew my
SSL, it gets replaced with Let's Encrypt, and then I go to renew it and the
system gets confused because it looks like I already have a cert from another
provider.

In both cases, ample warning and notification will help, and opt-in rather
than opt-out will totally alleviate the issues.

~~~
iancarroll
If Let's Encrypt's chain is compromised, everyone is screwed, not just your
site. If _any_ trusted CA is compromised, everyone is screwed, even if they
haven't issued a certificate for your site.

There is no way to induce a vulnerability by using an incompetent or malicious
CA, provided you generate your own, strong private key. Even issuing an MD5 or
SHA-1 certificate cannot actively harm your visitors unless a second preimage
attack is developed against the algorithm (in which case, again, everyone is
screwed, not just you).

~~~
ivraatiems
> There is no way to induce a vulnerability by using an incompetent or
> malicious CA, provided you generate your own, strong private key.

If OVH is doing this automatically, they're the ones generating the keys,
right?

~~~
Faaak
They already have the keys either way: its a shared-hosting environment.

------
thinkMOAR
I don't know, this feels a bit weird. How about your local garage replacing
the locks of your car without asking (not knowing who got duplicates of the
keys etc) or if you live in a neighbour that even requires you to lock your
car?

In any case this should be an opt-in service (for the lazy).

------
Keverw
I logged into the backend of WHM for my cPanel VPS(I'm using another VPS
provider, so not OVH specific example here), and they have something now
called AutoSSL doing something similar.

I haven't really played with it yet, but I know it mentioned no way to revoke
the certs. So felt a little half baked but it seems like a step in the right
direction to move everything to SSL. Probably just a early iteration right
now, so probably will improve over time.

------
ris
...and what if you have a specific certificate pinned in your private clients
for use of a private web service?

~~~
Pirate-of-SV
Then you should probably renew the expiring cert.

