What are you going on about?

Free SSL certificates!$#E

That didn't clarify anything for me.

you usually have to pay for the certs, these are free, certs are for encryption and pay certs certify that they are legit

I feel like would be following along a lot better if I had attended the mysql class.

FYI, lots of major companies (like mine) who use web proxies block certs from LetsEncrypt due to weak encryption and vulnerabilities. Not that I'm saying it's not a good deal for some smaller companies and people who just want some level of encryption, but if it's for anything bigger than a small business it's not a good route for you.

I think its a fair request to be specific in these accusations. LetsEncrypt is not weak encryption or any more vulnerable than any other type of SSL platform. Nothing I see about using their platform would indicate the encryption is weak seeing as I am using the same encryption level with a paid cert, nor does it show any more vulnerability. I would love to read something tangible that would indicate otherwise.

I'll ask my security guys for the documentation... I just know our company blocks it and the reasons above are what they gave me. Honestly I never gave a shit before but I'll try to dig deeper.

Agree the encryption and vuln factor is not less secure in comparison with the big name Authorities. Any vulns would actually exist with the SSL cipher chosen to secure the traffic, which is independent of the Cert Auth.

Here's a decent write up on the tech in general.


The only negative thing I can find and would assume birddogs sec folks are referring to is hackers can spin domains up freely and dynamically to further trick users into thinking a data source is trusted.

If you work for xceba.com and a hacker wanted to own you, they may spin up a web site complete with free SSL cert for xceda.com then spearphish your users with a fake email encouraging you to click on this link. This would take an extra attention to detail for a normal or sometimes advanced level user to not click on it.

Easy enough to just block all Cert Auth from letsencrypt, takes an arguable (small) percentage of the attack surface off their network for click happy users.

As letencrypt becomes more popular, a IT Sec team will have to make a decision to allow the content or not.

But that is technically true of any domain using ssl, and that is more of a user end problem than a LetsEncrypt problem. As well, you can further verify your domain using their platform if you need the ownership proof, I was going to do that for this post but got lazy.

Here is what I found out from the Security team for the reasons we were blocking those certs.

"Since mid-2014 there has been a shift of more web sites securing themselves with SSL certificates. In my opinion, this was primarily driven by Google’s announcement that sites with HTTPS would be given a ranking boost in searches. In early 2016 a new company called Let’s Encrypt began supplying free SSL certificates, with little to no validation to the legitimacy of the requestor. Over the past 6 months there has been a tremendous increase in the number of sites using these certificates. Unfortunately, a lot are malicious. A report conducted by Netcraft found that Let’s Encrypt certificates were being issued to tens of thousands phishing and fraud sites. https://news.netcraft.com/archives/2...-phishing.html. In addition to securing the connectivity between your browser and the server, the certificate played a role in notifying the user that the site was “Secure”. The practices of Let’s Encrypt send a false sense of trust to end users."

Those reasons are more to protect the network from stupid users and soft system administration, not because of any lack of security on LetsEncrypts part.

Personally, the listed reasons are bullshit and sound like someone trying to defend ComodoSSL certs being sold at $300 a year to a potential customer.