I thought the article was completely unconvincing. Like, COMPLETELY. The author's arguments against Let's Encrypt don't hold water. Argument #1 is that "The more sites secured by Let’s Encrypt certificates, the bigger the threat surface becomes because the compromise of Let’s Encrypt’s KMS could potentially affect a large number of sites." Fine, but that's true of EVERY certificate authority. If you get rid of Let's Encrypt, that's one FEWER CA, so that's more consolidation, not less, and more certs being handled by each of the other remaining providers. Argument #2 is that LE has "no skin in the game," because they're a nonprofit (ISRG) and their certificates are free. This is ridiculous; the EFF, Cisco, Mozilla, and Akamai, among others, are the members of ISRG, and all stand to sustain tremendous reputational damage if LE is compromised. Moreover, it's the FOR PROFIT certificate issuers (most notably Comodo and Symantec, but they have lots of company) that have historically been the problem, precisely BECAUSE they're for profit - they've been issuing all manner of dubious certificates, because they get paid by the certificate. You don't need to look very far to see that they've both been de-trusted. Google announces plan to distrust Symantec SSL certificatesBogus SSL certificate for Windows Live could allow man-in-the-middle hacks Argument #3, as best as I can even figure it out (it's really incoherent) is that "If a site certificate is revoked, and no one is paying attention to this possibility, traffic will drop precipitously and you as a business person may well be no the wiser for why your lead generation dried up. " But a certificate from LE is no more or less subject to revocation than a cert from any other issuer, and if your cert is revoked and you don't notice, you're a total moron (or an Equifax employee, or both): Everyone going to your site will get a message from their browser saying that the certificate is no good. Surely some of them will report this to you, if you don't figure it out yourself.
I get the feeling that the author is, whether he knows it or not, a tool of the paid certificate issuers.
I believe your points are valid. But to elaborate on why I said I wouldn't use it if I was running a business site (especially commercial and technical), it's not because it's insecure or I'm worried that it might get compromised, no. It's because it says I went cheap and opted for a free certificate
When all I have to present an image to my client is a website, I'd want to make sure it impresses. Most of the public wouldn't know. All they see is a lock, but for those who know it says something about you (whether you know it or not, whether you like it or not).
It's like when I go to a site and I get the lock plus the green color (EV certificate). It's expected if it's a financial institution or a big company, but if it's not, it tells me that these guys walked the extra mile for this. It impresses me.
On rare occasions, I pass by a big, shiny Louis Vuitton store and most of the time they have two people wearing suits at the door inside. They open the door if you approach and greet you with a snobbish node
Do they need that. Do they need two people or even one in a full suite. I don't think so. It's part of the image they sell you with their brand, and their customers pay for it
Just because an organisation is Not For Profit does not mean that the people don't get paid and nor does it mean that they are any less likely to be diligent or ethical (may even mean they are more, working for a 'cause' and all that).
The main argument in the article (forgive me if I missed something, it's been a long week travelling) seems to be the same as levelled at MS PC's and virus attacks: there's more of them out there and so more interesting to bad guys. To do the Man-in-the-Middle attack will require that there is something inline with the communications to the end web server. That would mean nearer the server so as to capture more traffic. The sniffer would then most likely be at the ISP or onsite (unless it's at the country level and there's a full backbone extraction).
For home users or testers then the LE certificate is more convenient when needing less techie people to connect. But for businesses then it would be better to have a certificate that wasn't rotating every three months, and can be more thoroughly validated before issue.
Security is a risk business: how much security (cost) vs the impact of not enough (cost). LE is adding security and so reducing risk, it's not removing risk.
Well said @fredbert. That's why I argued above that the author's logic can apply to many things in life.
There's always a risk (boarding a plane, crossing the street, eating that steak, driving your car, taking your pills).
We can either remove the risk at a cost (if possible and applicable), or accept it.