Comment by ekr____
12 hours ago
Thanks for explaining.
I think this concern is reflects a misunderstanding of how the security of the WebPKI works. Specifically, any CA can issue certificates for your domain whether you are their customer or not. What that means is that if CA #1 is compromised but you choose CA #2, CA #1 can still be used to attack connections to your domain.
The situation is slightly worse if the CA you actually use is compromised because the main defense we have against misissuance is Certificate Transparency, and it's easier to detect that a certificate was issued by a CA you don't use than that too many certificates were issued by a CA you do use, but it's just slightly easier.
The bottom line here is that if you are worried about some group of CAs being compromised, then using a different CA doesn't help you much.
Yes I understand all of that, but I still choose to trust free services less.
Of course the (more secure?) alternative would be to generate self-signed certs, but for customer-facing sites that's a big UX problem.
> Yes I understand all of that, but I still choose to trust free services less.
Well, you can choose to do whatever you want, but given that you're posting to a public forum, it would be helpful if you actually explained your reasoning.
> Of course the (more secure?) alternative would be to generate self-signed certs, but for customer-facing sites that's a big UX problem.
It's not just a big UX problem, it's a big security problem, because the customers have no way of knowing if your certificate is actually valid.
> it would be helpful if you actually explained your reasoning.
It's exceedingly clear that's not going to happen, and I think we all know why. Good reminder to anyone that anyone can just post here. Including people that logic-lessly think that paying a shitty third party that probably has a bad track record is somehow better than using LE. Like, this isn't a serious conversation?