[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] letsencrypt.org



On 14 September 2017 at 14:26, Perry E. Metzger <perry AT piermont.com> wrote:
> On Thu, 14 Sep 2017 10:06:45 +0100 Ben Laurie <benl AT google.com> wrote:
>> On 13 September 2017 at 21:55, Perry E. Metzger
>> <perry AT piermont.com> wrote:
>>
>> > On Wed, 13 Sep 2017 14:18:40 -0400 "Bayuk" <jennifer AT bayuk.com>
>> > wrote:
>> > > Has anyone on this list contributed to
>> > > https://letsencrypt.org/ - and/or otherwise have personal
>> > > experience, caveats, recommendations with respect to the
>> > > current service or roadmap?
>> >
>> > It works. I use it a lot for random sites where I don't care
>> > deeply about the security of the system.
>> >
>> > Note my security caveat isn't about the certificates being somehow
>> > less good than other certificates. It is that someone gaining
>> > temporary control of a server for your domain is in a good
>> > position to also get a cert for your domain signed. Of course,
>> > absent a system like Certificate Transparency, or cert pinning,
>> > that's the case anyway, so perhaps I'm being paranoid.
>> >
>>
>> You are exposed to that risk regardless of whether you use Let's
>> Encrypt or not, so not quite sure what point you're making?
>
> I said in my last sentence that you're exposed to that risk
> regardless, so perhaps there is no point to my paranoia.
> Did you miss that? See above.

Hmm. I guess I just didn't parse it as you intended. :-)

CT doesn't prevent them getting a cert, btw, it just ensure you know they have.

You are checking CT for your domains, aren't you?
_______________________________________________
The cryptography mailing list
cryptography AT metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography