Let's Not Encrypt (2019)
a day ago
- #SSL Certificates
- #Let's Encrypt
- #Web Security
- Let's Encrypt provides SSL certificates for free but introduces significant risks and negligible security benefits.
- Certificates from Let's Encrypt are valid for only three months, requiring frequent renewals, which can be time-consuming and error-prone.
- The automatic renewal tool, certbot, poses security risks by downloading and executing untrusted data as root.
- Once a website moves to HTTPS, reverting to HTTP is impractical due to search engine and browser behaviors.
- Let's Encrypt's operating budget is funded by competitors, raising concerns about long-term viability and conflicts of interest.
- The certificate authority system is criticized as a for-profit scam that doesn't enhance security.
- Google's dominance in web browsers and sponsorship of Let's Encrypt discourages the development of better security solutions.
- Alternative solutions, like SSH's certificate system, are ignored by major browsers, perpetuating reliance on flawed certificate authorities.