What are other people's thoughts?
“Why Let’s Encrypt is a really, really, really bad idea…” by John Horst, CISSP® — ISSAP® https://link.medium.com/zwhWqMCoC8
I agree with all of John's critiques and operational analysis, but disagree with his final conclusion. He has left out of the overall analysis the risk and threat analysis each potential user-site should have completed. Using TLS (https) for all connections does protect against content monitoring of the traffic. The site seeking that protection must evaluate the level of protection the traffic needs, and the legal and financial impact of being monitored. Even major sites distinguish this aspect by using data classification and allowing some content to travel by http, but protecting other data with https.
Small, or non-commercial sites may not need the legal or financial protection of commercial a CA for site certificates, and may find Let's Encrypt quite suitable.
Also, a reminder that end users can gain some added protection of https by using the Electronic Frontier Foundation's browser extension HTTPS Everywhere.
Final note, John Horst's LlinkedIn profile says his CISSP-ISSAP expired in 2017.
Thank you for posting this article. Lots of good stuff to think about in it, and I appreciate your position on not sure about agreeing.
Clearly, Johnny Hurst is looking for an ego boast by trying to create mass hysteria by creating doubt on rock solid technology. Feeling lonely John? COVID-19 got you down? Where's the love? Dissing your "pocket protector" friends for a few likes? Kinda sad...
Have to agree more with @rslade on this one with one remaining question. What beyond the price point makes this attractive? Does Let's Encrypt have better technology? Better defenses? If this is the way to TLS why would any pay for other TLS certificates if otherwise funded?
Other than that I get the message but what's the catch? I'm a security guy and always a bit wary when things sound too good to be true.
What beyond the price point makes this [Let's Encrypt] attractive?
I like the fact that they have short-lived certificates (90 days) and oblige admins to set up auto-renewal as a condition of certificate issuance, and that they respect CAA records (actually a requirement enforced upon CAs).
I don't much care about the fact that when I authorize them to issue certs for my domain (CAA), anyone in my organization can request certs. My current CA will only issue certs for my domain from my account(s). Although one can work around this by putting the CAA record on the host, it is not quite as elegant.