Pierre-O's Blog

My personnal blog about IT stuff

Defense for Let's Encrypt

I just read an article from alexanderhanff against Let’s Encrypt.

I’m sorry, but I can’t let it go.

If you don’t know yet Let’s Encrypt project, I recommend going to their page and get to know! It is really good idea, but apparently some people disagree.

Commenting the article itself

“[this new CA] will become a target”

I’m pretty sure NSA will just go to other authorities for this kind of jobs. If I am NSA, I would feel ashame to go to EFF ask to fake a certificate to spy on people. They are already doind it, and they’ll just continue.

“why on earth would a terrorist pay Verisign for an SSL certificate, leaving a paper trail, if they can obtain an anonymous certificate for free from Let’s Encrypt?”

Oh well, I think you don’t really get the project. How could/would you obtain a certificate for a domain you don’t own? Your certificate is linked to a domain name, and to buy a domain name, you don’t have much choice than paying by credit card, and giving your ID.

And why are you speaking about terrorist? I really don’t get your point.

“it removes all confidence in TLS certificates as far as I am concerned and I will absolutely not be using the service”

Oh well, it is the same as right now. Do you trust verisign? So why not trusting let’s encrypt (at the same level at least)? TLS certificate is broken. We know it! Nothing new with what you are saying. So I don’t see the point of ranting about Let’s Encrypt when you have nothing better to propose!

Conclusion

I think you can’t speak seriously in this article. I think you are just a troll, and I just lost 20 minutes of my life answering. But I really believe it’s important to discuss about these issues. Maybe there is something I didn’t understand, please let me know!

To go further

About ssl certificate authority, I recommend this talk if you didn’t already see it.

http://www.youtube.com/watch?v=8N4sb-SEpcg

security, ssl

« Starting a New life - IndieHosters.net