topher Dick @topher

@topher has joined the channel

So, I’ve been using Let’s Encrypt for several years now, and I’ve been very happy with it. I’ll admit, I’ve not used it for anything work-related, but that’s partly because I work for a giant company and ‘free’ is hard for them to deal with… Then I read this:

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

It seems to suggest that the biggest reason Let’s Encrypt is a problem is because too many people are using it, so if there is a compromised root key so many people will be impacted… It seems, to me, the extremely short expiration on the keys does a lot to mitigate the security concerns there (no 2-year vulnerabilities that could have been addressed in 15 minutes of work)…

Thoughts? Where are you all on Let’s Encrypt?

(yes, I’m aware that it’s just an opinion piece - it just got me thinking about my own opinions)

Greg Johnson @codemitter

I think the issue here is more specifically about paying attention to certificate expirations / revocations. Regardless of your CA, a KMS breach seems just as likely to be impactful.

He makes a good point about CA's having no "skin in the game". Though, I'm sure Let's Encrypt wants to remain popular. Not-for-profit doesn't mean no one is making money per sey.

Joe Winter @joeventures

I like this response at the top, with the ensuing discussion resulting in the original author admitting his headline was provocative. https://medium.com/@dom_rob/it-sounds-like-your-argument-against-lets-encrypt-is-essentially-a-for-profit-company-has-more-e544615e4e6e

Greg Johnson @codemitter

indeed

eldondev @eldondev

Yeah, I think LE handles things far better than most traditional CA's across the board.

And this is backed up by numerous vulns and bad certs being issued by them

Them = traditional CAs

Otoh, monocultures are bad. Amazon is a competitor, and a fine one at that. I am mostly happy using both.