Let's Not Encrypt

Summary

Let's not Encrypt posted 2019-04-24; updated 2023-11-05 Let's Discuss the organization providing a false sense of security at an unbeatable price. Update 2023-11-05 Yeah, I've got an LE cert now. And I don't want to talk about it. Update 2023-10-22 This is my last I told you so, I promise. But Let's Encrypt certificates were used to MiTM Hetzner and Linode servers. Update 2020-02-04 Microsoft Teams was unusable for about seven hours yesterday, because Microsoft forgot to renew a certificate. Sorry, you just can't work today? Update 2019-05-10 Mozilla, a Let's Encrypt Platinum Sponsor, experiences some minor embarrassment this week as every Firefox install in existence commits suicide. The cause? An expired certificate. (Maybe they should use Let's Encrypt?) This quote is gold: First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don’t find ourselves in a situation where one goes off unexpectedly. Eric Rescorla, CTO of the Firefox team at Mozilla My medical opinion: if it hurts, maybe you should stop doing it. Background Google is running a thinly-veiled protection racket, marking normal safe websites as “not secure.” Unless, of course, you pay them. You can make the warning go away by paying a third-party—who then pays Google—to sign your website's SSL certificate. Some otherwise-smart people are convinced that this is fine, because the Let's Encrypt project is signing those certificates for free at the moment. It's a scam. Let's See The certificates provide no security The way you verify your identity to Let's Encrypt is the same as with other certificate authorities: you don't really. You place a file somewhere on your website, and they access that file over plain HTTP to verify that you own the website. The one attack that signed certificates are meant to prevent is a man-in-the-middle attack. But if someone is able to perform a man-in-the-middle attack against your website, ...