Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What are some valid reasons not to use LetsEncrypt?


It's a single point of failure that has to follow US laws and sanctions.

If you only have one domain it isn't and issue as you can just go get a certificate somewhere else. But if you have 1000+ domains it's an issue.


If Letsencrypt was the only CA left I would call it a big failure. Without a choice there cannot be trust.


LE is open standard, any CA can decide to implement it.


The only other CA I know that has this service available is https://www.buypass.com/ssl/products/acme


https://en.m.wikipedia.org/wiki/Automated_Certificate_Manage....

According to Wikipedia there's several large CA's that already support ACME


https://zerossl.com/features/acme/

Free, even.


ZeroSSL are a commercial CA... I can't figure out what's in it for them to offer free 90-day certs with auto ACME renewal?


I assume on-ramp/freemium. Free certs help them sell paid certs.


If you accidentally leave DNS pointing at an old IP that gets recycled to someone else, you've authorized LetsEncrypt to issue a certificate to the lucky winner.

Most old school CAs do domain validations against the root of the domain, so it's a lot harder to accidentally delegate that.

That's not a reason not to use LetsEncrypt, but it's a reason not to include it in certificate pinning.


> If you accidentally leave DNS pointing at an old IP that gets recycled to someone else, you've authorized LetsEncrypt to issue a certificate to the lucky winner.

Yeah, but only for that particular subdomain. Sounds like a pretty contrived attack. For it to work, it needs to be some website that you forgot about, but still have enough users that it's viable to attack it.

>Most old school CAs do domain validations against the root of the domain, so it's a lot harder to accidentally delegate that.

Source for this? If there's even a handful of paid CAs that validate at the subdomain level this is a moot point.


> Yeah, but only for that particular subdomain. Sounds like a pretty contrived attack. For it to work, it needs to be some website that you forgot about, but still have enough users that it's viable to attack it.

Not really, something similar happened recently (forgot the company details but was discussed on HN). Somebody left dangling DNS pointed at AWS, new IP holder was apparently using domain scoped cookies / etc to grab browser data. Of course, cert pining in browsers is largely dead, so not a lot an average person can do here (other than not f* up their DNS). Larger entities can still get one off cert pinning by emailing chrome/other browsers.

>> Most old school CAs do domain validations against the root of the domain, so it's a lot harder to accidentally delegate that.

> Source for this? If there's even a handful of paid CAs that validate at the subdomain level this is a moot point.

This was from personal experience, could be obsolete. But if you're pinning to a couple of commercial roots, you only need to confirm that those roots don't issue certs from subdomain authentication.


It’s extremely insecure if you’re worried about things beyond passive mass surveillance.

If someone can intercept traffic to your server IP, they can get a Let’s Encrypt certificate. If they can’t reliably man in the middle that IP, then HTTP is reasonably secure already.

Such “certificates without certification” This is one reason browsers have added new UI elements for certified domains.


MITM'ing the connection between LE and a server is generally much more difficult and targeted than between any client and the server. Two different scenarios there.


> This is one reason browsers have added new UI elements for certified domains.

Can you elaborate?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: