Comment by schoen
3 years ago
This criticism/argument was, in fact, made against domain validation (DV) when it was first introduced by earlier CAs. It's not an unreasonable criticism, but the economics of PKI mean that we would have much, much less encryption and authentication on the web today without DV.
DV represents a security trade-off, and Let's Encrypt took this and ran with it, with the net effect of much much much much less web traffic interception overall, albeit with known non-Let's-Encrypt-specific vulnerabilities to attackers who can manipulate infrastructure sufficiently.
As other people in this thread have noted, there are also other mechanisms that can help mitigate those vulnerabilities. Maybe we can come up with more over time!
No comments yet
Contribute on Hacker News ↗