2

It's midnight; I coded for 16 hours, put away a few beers and discovered https://letsencrypt.org/

I am tired & muzzy headed & maybe I should be asking at https://skeptics.stackexchange.com/ but is this on the up & up? Is it secure? It seems like a free lunch - carpe prandium, or caveat prandior ?

Mozilla and such, but, still ... this could put some megamillion companies out of business. Does it have a future? Can I rely on it?

Community
  • 1
Mawg says reinstate Monica
  • 1,368
  • 2
  • 13
  • 26
  • 2
    At first glance, I approve. It's free because the verification process is automated. Both are bonuses. Not only that, but I think using an agent installed on the server to help prove ownership is probably much more secure than e-mail validation. However I don't think it will replace the type of validation required for certain types of certificates. – Jonathan Gray Dec 07 '15 at 00:27
  • 3
    As for whether it should be trusted as a CA, there's no reason not to trust it. We already have browsers and operating systems that come with literally hundreds if not thousands of explicitly trusted preinstalled CA certs, this one included. There are good chances, in my mind, that at least one of them is already either malicious or compromised -- luckily their ability to carry out attacks on the vast majority of Internet users is severely limited. Their ability to carry out targeted attacks, however, is much greater. – Jonathan Gray Dec 07 '15 at 00:37
  • 2
    @JonathanGray - perhaps you should move your comments to an answer? They seem more answer-ish to me than comment-ish. – Neil Smithline Dec 07 '15 at 01:08
  • 1
    Until they don't drop the "beta" tag, I wouldn't recommend to use it for production sites (or highly confidential services). I would wait a little longer to fully trust their service, as it is new, it may have security flaws (less likely). The certificates themselves should be as secure as other certificates (as they are based in the same technology). The main issue (IMHO) is that you won't be able to have EV certificates or any kind of warranty. Still, I think I will start testing them in many of my websites. – lepe Dec 07 '15 at 01:31
  • 1
    Are you asking as an admin contemplating running their root-privileged scripts on your server, or as a user who happens across a let's encrypt cert in the wild? – afourney Dec 07 '15 at 01:37
  • I was thinking of using it for my own site(s). – Mawg says reinstate Monica Dec 07 '15 at 08:25

0 Answers0