Why Let’s Encrypt is a really, really, really bad idea…
-
IMHO the whole certificate business is a racket - basically a money making machine. I can't think of any other business from the top of my head that just generates a few kilobytes and gets a ton of money for it. Yes, there is some validation going on - but that's pretty easy to do.
I suppose the guy has a point in that Let's Encrypt becomes a single point of failure since it generates so many certificates, not sure if that's a good reason not to use them.
-
@stacksofplates said in Why Let’s Encrypt is a really, really, really bad idea…:
It was solely about it being free and the hackers can get your data now.
To get the data, they would have to break the encryption. That won't happen in the short time period the existing cert is valid for and is renewed. And like you said, if the CA is compromised, it's a simple fix to revoke and issue a new CA cert, and all it was responsible for.
There's really nothing more to it, I don't know why all this. That it's free has nothing to do with it's security. The number of certs issued don't matter either, they don't all come from the same issuing CA (do they?)... If so goes back to the point above anyways
-
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
That's not what the certs are for. If I buy www.ebays.co and make my site look exactly like ebay, the cert doesn't have a responsibility to ensure I'm at the real ebay site. The only thing the cert is for is to ensure my data is encrypted between my end and the remote end and that someone can't intercept it. That's the cert's only purpose.
-
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
IMHO the whole certificate business is a racket - basically a money making machine. I can't think of any other business from the top of my head that just generates a few kilobytes and gets a ton of money for it. Yes, there is some validation going on - but that's pretty easy to do.
I suppose the guy has a point in that Let's Encrypt becomes a single point of failure since it generates so many certificates, not sure if that's a good reason not to use them.
Right, LE breaks the "racket", as does CloudFlare. The "racketeers" push (and likely pay) for people to spread FUD as their entire business model is based on no one catching on.
-
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
-
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
No one is discussing your own CA though. The CA mechanism is based on trusted roots.
-
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
No one is discussing your own CA though. The CA mechanism is based on trusted roots.
I responded to certs specifically, regardless of context.
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
No one is discussing your own CA though. The CA mechanism is based on trusted roots.
I responded to certs specifically, regardless of context.
Except the context is the point. The trust of the CA is the entire point of the idiotic article linked by the OP.
-
@JaredBusch said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
No one is discussing your own CA though. The CA mechanism is based on trusted roots.
I responded to certs specifically, regardless of context.
Except the context is the point. The trust of the CA is the entire point of the idiotic article linked by the OP.
Gotcha
-
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@Obsolesce said in Why Let’s Encrypt is a really, really, really bad idea…:
@scottalanmiller said in Why Let’s Encrypt is a really, really, really bad idea…:
@ingmarkoecher said in Why Let’s Encrypt is a really, really, really bad idea…:
@stacksofplates Yes, but it's also about preventing imposters - so you know that who you're talking to is who they claim they are.
This is true.... only so far as preventing a man in the middle attack. It doesn't tell you that you selected the right person in the first place, which is how people will read that.
Not really. I can create a cert that says I'm [email protected] or an ssl cert for my server that says facebook.com. A browser may not trust it by default because it comes from my own CA, but that's besides the point.
No one is discussing your own CA though. The CA mechanism is based on trusted roots.
I responded to certs specifically, regardless of context.
And you are correct, in that context. But that's not what context we were thinking of.