From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F2E2C13835A for ; Tue, 1 Jun 2021 12:02:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 33304E0855; Tue, 1 Jun 2021 12:02:38 +0000 (UTC) Received: from smarthost03d.mail.zen.net.uk (smarthost03d.mail.zen.net.uk [212.23.1.23]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D00F3E07D7 for ; Tue, 1 Jun 2021 12:02:37 +0000 (UTC) Received: from [82.69.80.10] (helo=wstn.localnet) by smarthost03d.mail.zen.net.uk with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1lo36S-0000FX-1u for gentoo-user@lists.gentoo.org; Tue, 01 Jun 2021 12:02:36 +0000 From: Peter Humphrey To: gentoo-user@lists.gentoo.org Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) Date: Tue, 01 Jun 2021 13:02:35 +0100 Message-ID: <2603445.mvXUDI8C0e@wstn> In-Reply-To: References: <20210529030839.123d8526@melika.host77.tld> <2212846.ElGaqSPkdT@iris> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Originating-smarthost03d-IP: [82.69.80.10] Feedback-ID: 82.69.80.10 X-Archives-Salt: d5139016-0050-4ad7-98b9-2d1d2b31abe1 X-Archives-Hash: 18fecc09c4b620a757471dabd754abf4 On Tuesday, 1 June 2021 12:40:28 BST Michael Orlitzky wrote: > On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote: > > It's not that easy to do it with internal-only systems as Let's Encrypt > > requires the hostname to be known externally. > > And there are plenty of devices you do not want the whole internet to know > > about. > > And in this situation LetsEncrypt does nothing but make security worse: > > * You have to trust the entire CA infrastructure rather than just your > own CA. Many of the CAs are not just questionable, but like the > governments of the USA and China, known to be engaged in large-scale > man-in-the-middle attacks. > > * The LetsEncrypt certificates expire after three months, as opposed > to 10+ years for a self-signed certificate. You're supposed to > automate this... by running a script as root that takes input from > the web? I'd rather not do that. > > * LetsEncrypt verifies your identity over plain HTTP (like every other > commercial CA), so it's all security theater in the first place. > > There are plenty of arguments against LE even for public sites, but for > private ones, it's a lot more clear-cut... So what would you recommend for someone in the case Joost cites? I'm in that position, being a home user of a small network but no registered Internet name. -- Regards, Peter.