In what way is a non-profit such as Lets Encrypt attempting to monetize their customer relationships? They've issued more 700 million certificates at no cost.
While I don't get the cynicism in this case, you would agree supporting a secure web is in the public interest, right?
To each their own, but you do realize that you are using a free website running on free software secured by free TLS libraries transmitted via routers that often run free software and firmware? Also how much did you pay for the browser you used to make these comments?
There is a sea of difference between something like Google/Facebook/TikTok and Let’s Encrypt/the Linux Foundation/FSF/etc. I can only assume you can’t see that difference if you have spent no time reading about these things, but I would encourage you to. This stuff is important especially if you get to make security decisions for any kind of product.
I think this concern is reflects a misunderstanding of how the security of the WebPKI works. Specifically, any CA can issue certificates for your domain whether you are their customer or not. What that means is that if CA #1 is compromised but you choose CA #2, CA #1 can still be used to attack connections to your domain.
The situation is slightly worse if the CA you actually use is compromised because the main defense we have against misissuance is Certificate Transparency, and it's easier to detect that a certificate was issued by a CA you don't use than that too many certificates were issued by a CA you do use, but it's just slightly easier.
The bottom line here is that if you are worried about some group of CAs being compromised, then using a different CA doesn't help you much.
> Yes I understand all of that, but I still choose to trust free services less.
Well, you can choose to do whatever you want, but given that you're posting to a public forum, it would be helpful if you actually explained your reasoning.
> Of course the (more secure?) alternative would be to generate self-signed certs, but for customer-facing sites that's a big UX problem.
It's not just a big UX problem, it's a big security problem, because the customers have no way of knowing if your certificate is actually valid.
I would have that concern, at minimum 100x more with random shitty unreliable SSL providers, than those being run by literal huge nerds and non-profits. Your analysis here is thin and lazy and that's being generous to your analysis.
BTW, all the recent certificate shenanigans have invovled for-profit CAs [1].
[1]: https://sslmate.com/resources/certificate_authority_failures
I still believe in "if it's free, you are the product."
In what way is a non-profit such as Lets Encrypt attempting to monetize their customer relationships? They've issued more 700 million certificates at no cost.
While I don't get the cynicism in this case, you would agree supporting a secure web is in the public interest, right?
4 replies →
To each their own, but you do realize that you are using a free website running on free software secured by free TLS libraries transmitted via routers that often run free software and firmware? Also how much did you pay for the browser you used to make these comments?
There is a sea of difference between something like Google/Facebook/TikTok and Let’s Encrypt/the Linux Foundation/FSF/etc. I can only assume you can’t see that difference if you have spent no time reading about these things, but I would encourage you to. This stuff is important especially if you get to make security decisions for any kind of product.
Thanks for explaining.
I think this concern is reflects a misunderstanding of how the security of the WebPKI works. Specifically, any CA can issue certificates for your domain whether you are their customer or not. What that means is that if CA #1 is compromised but you choose CA #2, CA #1 can still be used to attack connections to your domain.
The situation is slightly worse if the CA you actually use is compromised because the main defense we have against misissuance is Certificate Transparency, and it's easier to detect that a certificate was issued by a CA you don't use than that too many certificates were issued by a CA you do use, but it's just slightly easier.
The bottom line here is that if you are worried about some group of CAs being compromised, then using a different CA doesn't help you much.
Yes I understand all of that, but I still choose to trust free services less.
Of course the (more secure?) alternative would be to generate self-signed certs, but for customer-facing sites that's a big UX problem.
> Yes I understand all of that, but I still choose to trust free services less.
Well, you can choose to do whatever you want, but given that you're posting to a public forum, it would be helpful if you actually explained your reasoning.
> Of course the (more secure?) alternative would be to generate self-signed certs, but for customer-facing sites that's a big UX problem.
It's not just a big UX problem, it's a big security problem, because the customers have no way of knowing if your certificate is actually valid.
1 reply →
> I worry that the CA is somehow compromised (state actor holding private keys, etc).
"Somehow" is doing a lot work in that sentence.
Operationally, there's no difference between the security procedures and requirements that a for-profit or a non-profit CA must adhere to.
I would have that concern, at minimum 100x more with random shitty unreliable SSL providers, than those being run by literal huge nerds and non-profits. Your analysis here is thin and lazy and that's being generous to your analysis.