You might want to be more specific about the meaning of "between" here. It's not a cryptographic MITM attack, and if it ever facilitated someone else in performing one, that should be detectable.
Not sure if there is a point to "keep things in Europe" when it come to certificate authority.
- LetsEncrypt don't have the private key tied to your certificate
- Any of the Certificate Authorities could potentially emit unauthorized certificate
Your only protection for all of these problems is HPKP. If you prefer to keep things in Europe, keep that pinned private key in Europe, but the rest doesn't matter.
That said, it's pretty nice that LetsEncrypt forced the ACME protocol on this industry. Not only it create redundancy with mostly interchangeable alternatives but before ACME, there was no way to fully automate certificate provisioning cleanly.
Just to clear up one point -- Let's Encrypt did not at all force ACME on the industry. We deliberately took it to the IETF so that we could get input from more parts of the industry (including some major refactors!). Instead of pressure from Let's Encrypt, I would attribute its success to the open process of the IETF, the awesome open-source community that made great ACME software (shoutout to Matt and Caddy!), and the resulting pressure on CAs for a better user experience from users and customers.
You might want to be more specific about the meaning of "between" here. It's not a cryptographic MITM attack, and if it ever facilitated someone else in performing one, that should be detectable.
https://en.wikipedia.org/wiki/Certificate_Transparency
(It's also true that the level of active monitoring of CT logs has never gotten very high.)
It's not like Let's Encrypt is the only game in town, Actalis in Italy provides free ACME certs too if you'd prefer to keep things in Europe.
Not sure if there is a point to "keep things in Europe" when it come to certificate authority.
- LetsEncrypt don't have the private key tied to your certificate - Any of the Certificate Authorities could potentially emit unauthorized certificate
Your only protection for all of these problems is HPKP. If you prefer to keep things in Europe, keep that pinned private key in Europe, but the rest doesn't matter.
That said, it's pretty nice that LetsEncrypt forced the ACME protocol on this industry. Not only it create redundancy with mostly interchangeable alternatives but before ACME, there was no way to fully automate certificate provisioning cleanly.
Just to clear up one point -- Let's Encrypt did not at all force ACME on the industry. We deliberately took it to the IETF so that we could get input from more parts of the industry (including some major refactors!). Instead of pressure from Let's Encrypt, I would attribute its success to the open process of the IETF, the awesome open-source community that made great ACME software (shoutout to Matt and Caddy!), and the resulting pressure on CAs for a better user experience from users and customers.
1 reply →
Their website seems to suggest the renewal isn't free?
They are definitively not the most shady organization in the CA/Browser Forum.