[Cryptography] letsencrypt.org
Ron Garret
ron at flownet.com
Wed Sep 13 17:53:24 EDT 2017
On Sep 13, 2017, at 1:55 PM, Perry E. Metzger <perry at piermont.com> wrote:
> On Wed, 13 Sep 2017 14:18:40 -0400 "Bayuk" <jennifer at bayuk.com> wrote:
>> Has anyone on this list contributed to https://letsencrypt.org/ -
>> and/or otherwise have personal experience, caveats, recommendations
>> with respect to the current service or roadmap?
>
> It works. I use it a lot for random sites where I don't care deeply
> about the security of the system.
>
> Note my security caveat isn't about the certificates being somehow
> less good than other certificates. It is that someone gaining
> temporary control of a server for your domain is in a good position to
> also get a cert for your domain signed. Of course, absent a system
> like Certificate Transparency, or cert pinning, that's the case
> anyway, so perhaps I'm being paranoid.
Right. An attacker who gets access to any machine that has a DNS record for your domain can get a cert for your domain using LE. This is true whether or not you use it (because an attacker can just install it themselves) so this is not a good reason not to use it.
rg
More information about the cryptography
mailing list