[RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)

Adam Thompson athompso at athompso.net
Sun Feb 5 19:58:37 CST 2017


Yes, the automation is the whole *point* of LetsEncrypt.
As you say, the main impediment is cost, which is why they're free - but in order to sustain that cost structure, manual processes must be excised completely and utterly.  The 90-day lifetime is a compromise between convenience and security - even if your cert is compromised somehow (say because of badly-implemented automation tools), the compromise is only relevant for 90 days.
Obviously, LetsEncrypt isn't going to be issuing and high-assurance certificates; their goal is simply to get *everyone* to encrypt, to eliminate the cost issue as an excuse.
Many people much smarter than I have complained that the biggest problem with LetsEncrypt is that they appeared at exactly the wrong time; that their existence will cause the entire (badly broken) PKI system to *not* simply fall into disuse now, which was otherwise being predicted as a near- to medium-term consequence of its fundamental brokenness and multiple compromises.
I'm already using LetsEncrypt certificates in a couple of places, where I don't care about the "quality" of the certificate; it's automatically "better" than a self-signed certificate unless you're both extremely cautious AND inhumanly diligent.
For me, it's more a convenience tool to get rid of the browser's warning page upon encountering a self-signed cert.
Note also that LetsEncrypt certificates, unlike self-signed certificates, work with opportunistic TLS in SMTP.
-Adam 

> -----Original Message-----
> From: Roundtable [mailto:roundtable-bounces at muug.ca] On Behalf Of
> Trevor Cordes
> Sent: February 5, 2017 16:35
> To: roundtable at muug.ca
> Subject: Re: [RndTbl] "Let's Encrypt" by the Internet Security Research
> Group (ISRG)
> 
> On 2017-02-05 Hartmut W Sager wrote:
> > https://letsencrypt.org/
> >
> > They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache,
> > Linux, etc., etc., yet they express similar philosophies.  Who are
> > they? How credible are they and their effort?  And how does their
> > effort compare to other free security certificates?
> 
> Like David said, their main thrust is automated deployment.
> Unfortunately, in my mind that's that's their biggest downside.  You
> *must* use their automated tools: AFAIK they provide no normal
> manual/email way to obtain their certs.  That means any processes
> you've created in-house to handle certs (like I have) are instantly
> incompatible and would require modification.  And it's not just the cert
> files, their tools auto-edit apache configs, etc.  Also, I'm not sure if their
> tools tie the cert into other SSL-able daemons like sendmail, or if that's
> even possible given their cert settings.
> 
> Also, they issue certs only for 3 months at a time, which kind of
> necessitates their automated tools.
> 
> It's kind of funny, they concentrate so much on deployment when I think
> the main impediment to most people vis a vis SSL is cost.  They have the
> cost thing beat (free) but then they force you into their proprietary
> deployment model.
> 
> Other than that, I'd say they look legit and benign, and we've talked
> about them at MUUG before and everyone seems to agree.  If you don't
> run any SSL now and you aren't terribly experienced with it, I see no
> downside to using let's encrypt.  If you already have SSL deployed, do
> your research before jumping on board just to turn your yearly cost into
> "free".
> 
> Oh ya, one more good thing about Let's Encrypt: their causing the big
> players to lower their low-end cert prices a bit!  That's always good news.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable




More information about the Roundtable mailing list