[Cryptography] letsencrypt.org
Ben Laurie
ben at links.org
Thu Sep 14 14:05:14 EDT 2017
On 14 September 2017 at 14:26, Perry E. Metzger <perry at piermont.com> wrote:
> On Thu, 14 Sep 2017 10:06:45 +0100 Ben Laurie <benl at google.com> wrote:
>> On 13 September 2017 at 21:55, Perry E. Metzger
>> <perry at piermont.com> wrote:
>>
>> > On Wed, 13 Sep 2017 14:18:40 -0400 "Bayuk" <jennifer at bayuk.com>
>> > wrote:
>> > > Has anyone on this list contributed to
>> > > https://letsencrypt.org/ - and/or otherwise have personal
>> > > experience, caveats, recommendations with respect to the
>> > > current service or roadmap?
>> >
>> > It works. I use it a lot for random sites where I don't care
>> > deeply about the security of the system.
>> >
>> > Note my security caveat isn't about the certificates being somehow
>> > less good than other certificates. It is that someone gaining
>> > temporary control of a server for your domain is in a good
>> > position to also get a cert for your domain signed. Of course,
>> > absent a system like Certificate Transparency, or cert pinning,
>> > that's the case anyway, so perhaps I'm being paranoid.
>> >
>>
>> You are exposed to that risk regardless of whether you use Let's
>> Encrypt or not, so not quite sure what point you're making?
>
> I said in my last sentence that you're exposed to that risk
> regardless, so perhaps there is no point to my paranoia.
> Did you miss that? See above.
Hmm. I guess I just didn't parse it as you intended. :-)
CT doesn't prevent them getting a cert, btw, it just ensure you know they have.
You are checking CT for your domains, aren't you?
More information about the cryptography
mailing list