Let's Encrypt Free Certificates' Success Challenges SSL/TLS Industry

Found on eWEEK on Friday, 11 March 2016

The Let's Encrypt certificate service was first announced in November 2014 as an effort to help expand the use and availability of cryptographic security for Websites.

"More encryption is great but the ease of obtaining certificates automatically can be riskier," Bocek said. "We've already seen phishing sites and other attacks use Let's Encrypt certificates."

"We are only issuing certificates with 90 day lifetimes, and that will be the case for the foreseeable future," Aas said. "Dealing with certificates manually is inefficient and error-prone. We want to strongly encourage automation. And if your system is automated then it doesn't really matter how long the certificate lifetimes are."

It may be acceptable for a private blog which is not really important, but anybody else will still prefer certificates issued by a company. "Dealing with certificates manually" is their business and makes sure that e.g. EV certificates (which are used by banks and big companies) are not issued to anybody without doing a background check. Let's Encrypt is no better than any random self-signed certificate; except that the browser does not pop up a warning message.

Browse all articles« Previous « » Next »