← Back to context

Comment by ranger_danger

1 day ago

Lots of people, I certainly don't trust free providers, and I think it's a lot less likely that malware will use a non-free cert, so some people trust those more. Plus there are email, code-signing and other cert types that aren't provided for free.

18 comments

ranger_danger

Reply
oarsinsync  20 hours ago

> I certainly don't trust free providers

What does this mean in practice? Do you remove the free providers from your OS & browser trust stores? Does this mean you get warnings every time you visit a site that uses LetsEncrypt (and other free providers)?

ekr____  1 day ago

What does it mean not to trust Let's Encrypt in this case? What is it you are concerned they will do?

  • ranger_danger  1 day ago

    I worry that the CA is somehow compromised (state actor holding private keys, etc).

    • ekr____  10 hours ago

      Thanks for explaining.

      I think this concern is reflects a misunderstanding of how the security of the WebPKI works. Specifically, any CA can issue certificates for your domain whether you are their customer or not. What that means is that if CA #1 is compromised but you choose CA #2, CA #1 can still be used to attack connections to your domain.

      The situation is slightly worse if the CA you actually use is compromised because the main defense we have against misissuance is Certificate Transparency, and it's easier to detect that a certificate was issued by a CA you don't use than that too many certificates were issued by a CA you do use, but it's just slightly easier.

      The bottom line here is that if you are worried about some group of CAs being compromised, then using a different CA doesn't help you much.

      3 replies →

    • alwillis  1 day ago

      > I worry that the CA is somehow compromised (state actor holding private keys, etc).

      "Somehow" is doing a lot work in that sentence.

      Operationally, there's no difference between the security procedures and requirements that a for-profit or a non-profit CA must adhere to.

    • nixosbestos  1 day ago

      I would have that concern, at minimum 100x more with random shitty unreliable SSL providers, than those being run by literal huge nerds and non-profits. Your analysis here is thin and lazy and that's being generous to your analysis.