Gentoo Archives: gentoo-user

From: Michael Orlitzky <mjo@g.o>
To: gentoo-user@l.g.o
Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
Date: Tue, 01 Jun 2021 11:40:39
In Reply to: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) by "J. Roeleveld"
1 On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote:
2 >
3 > It's not that easy to do it with internal-only systems as Let's Encrypt
4 > requires the hostname to be known externally.
5 > And there are plenty of devices you do not want the whole internet to know
6 > about.
7 >
9 And in this situation LetsEncrypt does nothing but make security worse:
11 * You have to trust the entire CA infrastructure rather than just your 
12 own CA. Many of the CAs are not just questionable, but like the 
13 governments of the USA and China, known to be engaged in large-scale
14 man-in-the-middle attacks.
16 * The LetsEncrypt certificates expire after three months, as opposed 
17 to 10+ years for a self-signed certificate. You're supposed to 
18 automate this... by running a script as root that takes input from 
19 the web? I'd rather not do that.
21 * LetsEncrypt verifies your identity over plain HTTP (like every other 
22 commercial CA), so it's all security theater in the first place.
24 There are plenty of arguments against LE even for public sites, but for
25 private ones, it's a lot more clear-cut...


Subject Author
Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) Peter Humphrey <peter@××××××××××××.uk>
Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl@××××××××.se