Ask HN: Is Let's Encrypt Harmful?
I've just learned about Let's Encrypt, and it made me a little bit worried. Now, I'm afraid (correct me please if I'm wrong) I cannot easily say if the server I'm talking to is the one I think I'm communicating with; the https protocol and SSL certificates are there only to ensure message confidentiality, but not server identity.
Here are my questions:
1. Is there a way to check in a browser if the current domain's certificate has been issued by Let's Encrypt?
2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?
Perhaps my questions display lack of understanding of some fundamental concept of SSL. If that's the case, I'm happy to learn!
7 comments
[ 6.1 ms ] story [ 36.1 ms ] threadYou couldn't trust SSL for owner identity before Let's Encrypt either, nothing has changed.
If you want stronger guarantees for the identity of the owner, you'll have to look for Extended Validation (EV) certificates (Browsers generally show the company name next to the lock in the URL bar). (https://www.cloudflare.com/ as an example, HN or https://www.amazon.com as examples of sites that don't use EV)
Most SSL cert CA's check DNS for email addresses and only validate DNS entries.
Lets Encrypt only checks DNS for IP addresses and issues certs based on root access to the IP addresses.
A CA DV is not equivalent to a Lets Encrypt cert.
Many also offer the same thing as Let's Encrypt, which basically verifies if the A/AAAA record for the domain points to a server controlled by the requester.
What am I missing?
The fact is that when you connect to my website ilikeapple.com in which I write about my experience as a apple farmer, you don't need to be sure of my server identity ('cause you don't even know my website) but you could still need message confidentiality ('cause you don't want your rival farmer to know that you are interested in planting apple tree next year).
So, don't put your credit card number in a site that not offer server identity (Hacker News for example) but don't worry too much about the certificate of let's Encrypt because are the lower level possible of certificate.
P.S. They are working to expand the same concept at "higher grade" certificate but of course is a work in progress (and is not sure it's possible)
- HTTP: White background with black text.
- Mixed content: "Scary" red cross through it.
- Domain verified: Green
- Identity verified (EV): Super-green
In an ideal world it would work like this:
- HTTP & Mixed Content: "Scary" red cross through it (i.e. "unencrypted" or compromised encryption).
- Domain verified: White background with black text.
- Identity verified (EV): Super green.
So DV just becomes the new "normal," since all it is asserting is that you haven't been MitM-ed to the specific domain requested. HTTP becomes the new bad (which it is). And only EV gets the green padlock treatment (i.e. so you look for THAT if you enter personal information).
PS - Plus you've always been able to get a Let's Encrypt-style certified, just costs you $8 which is easy to get using stolen credit cards.
No...
Lets Encrypt should not have the same level of trust as the basic DV level cert from a standard CA.
There is a security hole in ACME which is glossed over with handwaving from the fanbois.