From: Peter Humphrey <peter@prh.myzen.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
Date: Tue, 01 Jun 2021 13:02:35 +0100 [thread overview]
Message-ID: <2603445.mvXUDI8C0e@wstn> (raw)
In-Reply-To: <b14d169deb60fb4e2796689aaedda9dfd3555837.camel@gentoo.org>
On Tuesday, 1 June 2021 12:40:28 BST Michael Orlitzky wrote:
> On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
> > It's not that easy to do it with internal-only systems as Let's Encrypt
> > requires the hostname to be known externally.
> > And there are plenty of devices you do not want the whole internet to know
> > about.
>
> And in this situation LetsEncrypt does nothing but make security worse:
>
> * You have to trust the entire CA infrastructure rather than just your
> own CA. Many of the CAs are not just questionable, but like the
> governments of the USA and China, known to be engaged in large-scale
> man-in-the-middle attacks.
>
> * The LetsEncrypt certificates expire after three months, as opposed
> to 10+ years for a self-signed certificate. You're supposed to
> automate this... by running a script as root that takes input from
> the web? I'd rather not do that.
>
> * LetsEncrypt verifies your identity over plain HTTP (like every other
> commercial CA), so it's all security theater in the first place.
>
> There are plenty of arguments against LE even for public sites, but for
> private ones, it's a lot more clear-cut...
So what would you recommend for someone in the case Joost cites? I'm in that
position, being a home user of a small network but no registered Internet
name.
--
Regards,
Peter.
next prev parent reply other threads:[~2021-06-01 12:02 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29 6:26 ` Walter Dnes
2021-06-01 4:45 ` J. Roeleveld
2021-06-01 5:15 ` William Kenworthy
2021-06-01 10:44 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17 ` J. Roeleveld
2021-06-01 11:40 ` Michael Orlitzky
2021-06-01 12:02 ` Peter Humphrey [this message]
2021-06-01 12:16 ` Michael Orlitzky
2021-06-01 12:24 ` Peter Humphrey
2021-06-01 13:22 ` Rich Freeman
2021-06-01 13:17 ` karl
2021-06-01 13:20 ` karl
2021-06-01 13:17 ` karl
2021-06-01 11:59 ` [gentoo-user] app-misc/ca-certificates Adam Carter
2021-06-01 13:29 ` Rich Freeman
2021-06-02 1:13 ` William Kenworthy
2021-06-03 9:06 ` Adam Carter
2021-06-01 21:25 ` Grant Taylor
2021-06-01 21:38 ` Michael Orlitzky
2021-06-02 1:51 ` Grant Taylor
2021-06-02 7:21 ` J. Roeleveld
2021-06-02 20:22 ` Grant Taylor
2021-06-02 7:48 ` Fannys
2021-06-02 20:23 ` Grant Taylor
2021-06-01 22:28 ` Fannys
2021-06-02 7:23 ` J. Roeleveld
2021-06-01 21:05 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2603445.mvXUDI8C0e@wstn \
--to=peter@prh.myzen.co.uk \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox