* Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
@ 2021-06-01 11:40 99% ` Michael Orlitzky
0 siblings, 0 replies; 1+ results
From: Michael Orlitzky @ 2021-06-01 11:40 UTC (permalink / raw
To: gentoo-user
On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
>
> It's not that easy to do it with internal-only systems as Let's Encrypt
> requires the hostname to be known externally.
> And there are plenty of devices you do not want the whole internet to know
> about.
>
And in this situation LetsEncrypt does nothing but make security worse:
* You have to trust the entire CA infrastructure rather than just your
own CA. Many of the CAs are not just questionable, but like the
governments of the USA and China, known to be engaged in large-scale
man-in-the-middle attacks.
* The LetsEncrypt certificates expire after three months, as opposed
to 10+ years for a self-signed certificate. You're supposed to
automate this... by running a script as root that takes input from
the web? I'd rather not do that.
* LetsEncrypt verifies your identity over plain HTTP (like every other
commercial CA), so it's all security theater in the first place.
There are plenty of arguments against LE even for public sites, but for
private ones, it's a lot more clear-cut...
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-06-01 5:15 ` William Kenworthy
2021-06-01 10:44 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17 ` J. Roeleveld
2021-06-01 11:40 99% ` Michael Orlitzky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox