Then you have a signed key but you still have to implement the crypto algorithms...

garmaine · on June 23, 2020

Which is as easy as running one of a half dozen open source TLS proxies in front of your regular, unencrypted HTTP application port.

inetknght · on June 23, 2020

You don't need to "implement the crypto algorithms" unless you're reinventing the wheel. You just need to get the private key and certificate (run certbot) and configure your server software (change your settings).

foxrob92 · on June 24, 2020

Alternatively, use caddy as a HTTPS server. It requests the certs from letsencrypt for you, for all domains that you configure it for.

garmaine · on June 24, 2020

You don’t know what state actor is running it though.

inetknght · on June 24, 2020

LetsEncrypt is good enough to protect you from ISP malfeasance and script kiddies on your public wifi.

But if your threat model includes nation states then LetsEncrypt should only be one part of your defense in depth strategy.

teddyh · on June 24, 2020

It literally does not matter for you if Let’s Encrypt is run by a hostile entity. They never get your private key, they only give you a certificate saying your key is valid.

thom · on June 24, 2020

Would anything nefarious be made possible by them granting someone _else_ such a certificate?

teddyh · on June 24, 2020

Sure, but LE could always do that, even if you don’t use them. So that is still not a reason to avoid using them.