They have done so much in real world crypto, I feel like they should be the ones handinf out prizes and awards. The single biggest improvement in transport security since public key crypto imo.
I would also like to do a shoutout to software like Caddy Server which automatically provisions with TLS using Let’s Encrypt. Doing this removes another barrier to adoption.
Thank you for the shoutout! Both projects have definitely been a community effort. There are many people and sponsors to thank.
I've worked on both Let's Encrypt and Caddy. Indeed, the goal with Caddy is to set the gold standard for other software to follow. I'd say Let's Encrypt does the heavy lifting in this space, though. It's truly a remarkable team and infrastructure.
Next project: "Let's Interoperate" Total portability of data,
authentication, contact lists, and full inter-working of chat and AV
protocols soming soon! ?
After breaking the certificate racket, let's end the tech
walled-garden monopolies.
What about the theory that the NIST encryption curves may be backdoored ?
If this is the case, if I would be the NSA I would strongly push for free cryptography, to make sure that only the US can decrypt the communications and have a strategic advantage.
Let's Encrypt is a CA. Their involvement with web cryptography begins and ends with signing certificates which are used for authentication -- they have no say over what cryptography actually gets used for a TLS connection.
"The “k” in sepc256k1 stands for Koblitz and the “r” in sepc256r1 stands for random. A Koblitz elliptic curve has some special properties that make it possible to implement the group operation more efficiently. It is believed that there is a small security trade-off, that more “randomly” selected parameters are more secure. However, some people suspect that the random coefficients may have been selected to provide a back door."
If a solution is plausible, and this solution can bring dozens of billions of USD in in direct economic value or protect populations, certainly the smart people would/should think about a way to do it (and this could even be the right thing to do).
I'm not saying that Let's Encrypt is backdoored; what I'm saying is that it's a juicy target and that one potential solution to this problem is to encourage decentralization.
Honestly, not by much. There are maybe half a dozen major CAs that make up the vast majority (95%+) of certificate issuance, and that number has been shrinking as poorly run CAs have been shut down (like GeoTrust) and other CAs have gone through cycles of acquisition (like Verisign/Symantec/DigiCert).
Besides, a lot of the market share which Let's Encrypt has acquired has been by expanding the market, rather than taking it from other players. Ten years ago, less than 25% of web traffic was encrypted; now, 80-90% of it is, and a lot of that growth has been through increased availability of free or low-cost certificates.
TLS only addresses minor threats, it doesn't help against NSA/CIA/etc and their equivalent in other jurisdictions. corporate websites will give up your plaintexts, the cloud providers will give up your private keys hosted on their servers.
This is a very nice recognition! I realized that the registrar I have my personal site with purposefully does not support Let's Encrypt as a CA. Anyone have a registrar they'd recommend these days to transfer a domain to? FYI, the crappy registrar/host in question is namecheap.com so you can avoid them in the future.
Some "free" or "low cost" "registrars" actually are hosting providers that register the domain for you, and then provide you limited access to the tools normally available.
Do these still exist? I remember running into one of them around 2005, but I haven't heard of any since -- it's been a long time since "give away hosting and run ads against the content" was a viable business model.
Is this a new development with namecheap? I currently have a domain with them that is set up with let's encrypt.
I haven't touched my site in a long time now but visiting it now shows https.
Apparently not, but I only just noticed after their free 1 year trial of SSL certs expired. They're listed on the Let's Encrypt site as having no plans to support and the source is pretty hilarious:
The domain registrar is unrelated to LE and can’t block LE.
Just install caddy on a $5/mo VPS instead of using your domain registrar as a host. It will automatically renew LE certs. Your current setup is almost always a terrible idea.
https://news.ycombinator.com/item?id=31018436