
Ask HN: Is Let's Encrypt Harmful? - jan-jakub
I&#x27;ve just learned about Let&#x27;s Encrypt, and it made me a little bit worried. Now, I&#x27;m afraid (correct me please if I&#x27;m wrong) I cannot easily say if the server I&#x27;m talking to is the one I <i>think</i> I&#x27;m communicating with; the https protocol and SSL certificates are there only to ensure <i>message confidentiality</i>, but not <i>server identity</i>.<p>Here are my questions:<p>1. Is there a way to check in a browser if the current domain&#x27;s certificate has been issued by Let&#x27;s Encrypt?<p>2. Should I trust domains with Let&#x27;s Encrypt-issued certificate less than those with paid certificates with identity validation?<p>Perhaps my questions display lack of understanding of some fundamental concept of SSL. If that&#x27;s the case, I&#x27;m happy to learn!
======
detaro
Most SSL certificates use the same validation mechanisms as Let's Encrypt.
Let's Encrypt is not less secure than other providers of domain validated (DV)
certificates, all they check is that the requester of the certificate has some
kind of control over the domain at the time of the request.

You couldn't trust SSL for owner identity before Let's Encrypt either, nothing
has changed.

If you want stronger guarantees for the identity of the owner, you'll have to
look for Extended Validation (EV) certificates (Browsers generally show the
company name next to the lock in the URL bar).
([https://www.cloudflare.com/](https://www.cloudflare.com/) as an example, HN
or [https://www.amazon.com](https://www.amazon.com) as examples of sites that
_don 't_ use EV)

~~~
crapsalot
Wrong.

Most SSL cert CA's check DNS for email addresses and only validate DNS
entries.

Lets Encrypt only checks DNS for IP addresses and issues certs based on root
access to the IP addresses.

A CA DV is not equivalent to a Lets Encrypt cert.

~~~
detaro
Most CAs accept an email to an predetermined address at the domain, which
validates that a DNS entry (MX record) on the domain points to a server
controlled by the requester.

Many also offer the same thing as Let's Encrypt, which basically verifies if
the A/AAAA record for the domain points to a server controlled by the
requester.

What am I missing?

------
Kurnihil
Your concerns are completly right but there is a catch: Let's Encrypt is
trying to lower the barrier in money and time to offer encrypted connection
between a server and you. Even now there are different level of certificate in
the standard, you could notice it when you see the lock icon in your browser
turning green or not. Hacker News, for example, doesn't offer owner
information so it's grey; Twitter instead turn green as it uses the most
secure certificate.

The fact is that when you connect to my website ilikeapple.com in which I
write about my experience as a apple farmer, you don't need to be sure of my
server identity ('cause you don't even know my website) but you could still
need message confidentiality ('cause you don't want your rival farmer to know
that you are interested in planting apple tree next year).

So, don't put your credit card number in a site that not offer server identity
(Hacker News for example) but don't worry too much about the certificate of
let's Encrypt because are the lower level possible of certificate.

P.S. They are working to expand the same concept at "higher grade" certificate
but of course is a work in progress (and is not sure it's possible)

------
UnoriginalGuy
To be honest the whole way the internet has always worked is a little
backwards...

\- HTTP: White background with black text.

\- Mixed content: "Scary" red cross through it.

\- Domain verified: Green

\- Identity verified (EV): Super-green

In an ideal world it would work like this:

\- HTTP & Mixed Content: "Scary" red cross through it (i.e. "unencrypted" or
compromised encryption).

\- Domain verified: White background with black text.

\- Identity verified (EV): Super green.

So DV just becomes the new "normal," since all it is asserting is that you
haven't been MitM-ed to the specific domain requested. HTTP becomes the new
bad (which it is). And only EV gets the green padlock treatment (i.e. so you
look for THAT if you enter personal information).

PS - Plus you've always been able to get a Let's Encrypt-style certified, just
costs you $8 which is easy to get using stolen credit cards.

------
crapsalot
2\. Should I trust domains with Let's Encrypt-issued certificate less than
those with paid certificates with identity validation?

No...

Lets Encrypt should not have the same level of trust as the basic DV level
cert from a standard CA.

There is a security hole in ACME which is glossed over with handwaving from
the fanbois.

------
cabirum

        openssl s_client -connect example.com:443 -quiet
    

prints certificate chain, you'll see something like this -

    
    
        verify return:1  
        depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
    

\- meaning Let's Encrypt is involved.

