LE SSL certificate

Currently reading
LE SSL certificate

jeyare

Well-known member
NAS
1811+, 3x 1813+, ...
I found this post for someone of you who uses LE certificates. See there:
Why Let’s Encrypt is a really, really, really bad idea…
Did I mention it is a really bad idea???

Link
 

WST16

Well-known member
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
That’s an interesting take. Thank you for sharing.
However, one can argue the same about many things in life.

Might not be a good idea if your site is a commercial one. I tend to agree. But for us (me) running a DS that no one should really care about, I believe it’s a very good and convenient option for now.
 

jeyare

Well-known member
NAS
1811+, 3x 1813+, ...
Don’t take it as kind of panic from me. Just as a source of information. I don’t have LE cert. I have few paid certs and long time evaluated. But in these days no one know, everything is possible.
 

akahan

Active member
NAS
DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac
I thought the article was completely unconvincing. Like, COMPLETELY. The author's arguments against Let's Encrypt don't hold water. Argument #1 is that "The more sites secured by Let’s Encrypt certificates, the bigger the threat surface becomes because the compromise of Let’s Encrypt’s KMS could potentially affect a large number of sites." Fine, but that's true of EVERY certificate authority. If you get rid of Let's Encrypt, that's one FEWER CA, so that's more consolidation, not less, and more certs being handled by each of the other remaining providers. Argument #2 is that LE has "no skin in the game," because they're a nonprofit (ISRG) and their certificates are free. This is ridiculous; the EFF, Cisco, Mozilla, and Akamai, among others, are the members of ISRG, and all stand to sustain tremendous reputational damage if LE is compromised. Moreover, it's the FOR PROFIT certificate issuers (most notably Comodo and Symantec, but they have lots of company) that have historically been the problem, precisely BECAUSE they're for profit - they've been issuing all manner of dubious certificates, because they get paid by the certificate. You don't need to look very far to see that they've both been de-trusted. Google announces plan to distrust Symantec SSL certificates Bogus SSL certificate for Windows Live could allow man-in-the-middle hacks Argument #3, as best as I can even figure it out (it's really incoherent) is that "If a site certificate is revoked, and no one is paying attention to this possibility, traffic will drop precipitously and you as a business person may well be no the wiser for why your lead generation dried up. " But a certificate from LE is no more or less subject to revocation than a cert from any other issuer, and if your cert is revoked and you don't notice, you're a total moron (or an Equifax employee, or both): Everyone going to your site will get a message from their browser saying that the certificate is no good. Surely some of them will report this to you, if you don't figure it out yourself.

I get the feeling that the author is, whether he knows it or not, a tool of the paid certificate issuers.
 

WST16

Well-known member
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
I believe your points are valid. But to elaborate on why I said I wouldn't use it if I was running a business site (especially commercial and technical), it's not because it's insecure or I'm worried that it might get compromised, no. It's because it says I went cheap and opted for a free certificate :)

When all I have to present an image to my client is a website, I'd want to make sure it impresses. Most of the public wouldn't know. All they see is a lock, but for those who know it says something about you (whether you know it or not, whether you like it or not).

It's like when I go to a site and I get the lock plus the green color (EV certificate). It's expected if it's a financial institution or a big company, but if it's not, it tells me that these guys walked the extra mile for this. It impresses me.

Just an opinion that is very debatable :)
 

akahan

Active member
NAS
DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac
WST, I think your reasons are 100% legit, in contrast to the arguments made in the article.
 

WST16

Well-known member
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
On rare occasions, I pass by a big, shiny Louis Vuitton store and most of the time they have two people wearing suits at the door inside. They open the door if you approach and greet you with a snobbish node :)

Do they need that. Do they need two people or even one in a full suite. I don't think so. It's part of the image they sell you with their brand, and their customers pay for it :)
 
Last edited:

fredbert

Well-known member
A bit late to comment on this but I will anyway.

Just because an organisation is Not For Profit does not mean that the people don't get paid and nor does it mean that they are any less likely to be diligent or ethical (may even mean they are more, working for a 'cause' and all that).

The main argument in the article (forgive me if I missed something, it's been a long week travelling) seems to be the same as levelled at MS PC's and virus attacks: there's more of them out there and so more interesting to bad guys. To do the Man-in-the-Middle attack will require that there is something inline with the communications to the end web server. That would mean nearer the server so as to capture more traffic. The sniffer would then most likely be at the ISP or onsite (unless it's at the country level and there's a full backbone extraction).

For home users or testers then the LE certificate is more convenient when needing less techie people to connect. But for businesses then it would be better to have a certificate that wasn't rotating every three months, and can be more thoroughly validated before issue.

Security is a risk business: how much security (cost) vs the impact of not enough (cost). LE is adding security and so reducing risk, it's not removing risk.
 

WST16

Well-known member
NAS
DS216+II : DS118 : APC Back UPS ES 700 — Mac/iOS user
Well said @fredbert. That's why I argued above that the author's logic can apply to many things in life.

There's always a risk (boarding a plane, crossing the street, eating that steak, driving your car, taking your pills).
We can either remove the risk at a cost (if possible and applicable), or accept it.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Rules Help Users
Any NAS support topics need to be posted in the forum.

You haven't joined any rooms.

    You haven't joined any rooms.
    Top