- Let's Encrypt did more for privacy than any other organization. Before Let's Encrypt, we'd usually deploy TLS certificates, but as somewhat of an afterthought, and leaving HTTP accessible. They were a pain to (very manually) rotate once a year, too.
It's hard to overstate just how much LE changed things. They made TLS the default, so much that you didn't have to keep unencrypted HTTP around any more. Kudos.
by gorgoiler
2 subcomments
- Thank you Let’s Encrypt, you changed the world and made it better.
Sorry to everyone else who was listening in on the wire. Come back with a warrant, I guess?!
- To play the devils advocate: TLS on websites where you are not logged in is the greatest security hogwash of all times.
For example the cookies of the NYT:
- Store and/or access information on a device 178 vendors
- Use limited data to select advertising 111 vendors
- Create profiles for personalised advertising 135 vendors
- Use profiles to select personalised advertising
- Understand audiences through statistics or combinations
of data from different sources 92 vendors
There is no way to escape any of this unless you spend several hours per week to click through these dialogs and to adjust adblockers.And even if you block all cookies, ever-cookies and fingerprinting, then there are still cloudflare, amazon, gcp and azure who know your cross-site visits.
The NSA is no longer listening because there is TLS everywhere? Sure, and the earth is flat.
- I remember deploying SSL on NetWare in the late 1990s and being given ... something that the US allowed to be exported as a munition!
I don't recall the exact details but it was basically buggered - short key length. Long enough to challenge a 80386 Beowulf cluster but no match for whatever was humming away in a very well funded machine room.
You could still play with all the other exciting dials and knobs, SANs and so on but in the end it was pretty worthless.
by throw0101a
1 subcomments
- There are several other certificate provisioning protocols:
* https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_...
by dorianniemiec
0 subcomment
- This protocol definitely made securing the web easier. Thanks to it, I don't need to renew certificates manually (it's now done automatically), which can be tedious...
- Thank you for your service
by abhashanand1501
6 subcomments
- Can someone explain why letsencrypt certificates have to be 90 days expiry? I know there is automation available, but what is the rationale for 90 days?
by wakawaka28
4 subcomments
- Has anyone considered the possibility that a CA such as Let's Encrypt could be compromised or even run entirely by intelligence operatives? Of course, there are many other CAs that could be compromised and making money off of customers on top of that. But who knows... What could defend against this possibility? Multiple signatures on a certificate?
- it seems like all this infrastructure could be replaced by a DNS TXT record with a public key that browsers could use to check the cert sent from the web server. A web server would load a self-signed cert (or whatever cert they wanted), and put the cert's public key into a DNS record for that hostname. Every visit to a website would need two lookups, one for address and one for key. It puts control back into the hands of the domain owners and eliminates the need for letsencrypt.
by 1vuio0pswjnm7
0 subcomment
- "The challenge is based on device attestation and what’s new in this case is the arrival of a third party, the attestation server."
- I’m sorry, who the heck wrote this and why should I trust them? Very poorly written, also.
It’s bizarre. There is a photo at the top, no name, no site title. No about page. Extremely untrustworthy.
- It certainly affected Wile E Coyote.
Hacker News