* Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
@ 2021-06-01 12:02 99% ` Peter Humphrey
0 siblings, 0 replies; 1+ results
From: Peter Humphrey @ 2021-06-01 12:02 UTC (permalink / raw
To: gentoo-user
On Tuesday, 1 June 2021 12:40:28 BST Michael Orlitzky wrote:
> On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
> > It's not that easy to do it with internal-only systems as Let's Encrypt
> > requires the hostname to be known externally.
> > And there are plenty of devices you do not want the whole internet to know
> > about.
>
> And in this situation LetsEncrypt does nothing but make security worse:
>
> * You have to trust the entire CA infrastructure rather than just your
> own CA. Many of the CAs are not just questionable, but like the
> governments of the USA and China, known to be engaged in large-scale
> man-in-the-middle attacks.
>
> * The LetsEncrypt certificates expire after three months, as opposed
> to 10+ years for a self-signed certificate. You're supposed to
> automate this... by running a script as root that takes input from
> the web? I'd rather not do that.
>
> * LetsEncrypt verifies your identity over plain HTTP (like every other
> commercial CA), so it's all security theater in the first place.
>
> There are plenty of arguments against LE even for public sites, but for
> private ones, it's a lot more clear-cut...
So what would you recommend for someone in the case Joost cites? I'm in that
position, being a home user of a small network but no registered Internet
name.
--
Regards,
Peter.
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-06-01 11:17 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) J. Roeleveld
2021-06-01 11:40 ` Michael Orlitzky
2021-06-01 12:02 99% ` Peter Humphrey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox