How do these articles keep getting to the front of HN...
> The certificates provide no security: The way you verify your identity to Let's Encrypt... you place a file somewhere on your website, and they access
> Automatic renewal is insecure: certbot ... downloads a bunch of untrusted data from the web, and then feeds that data into your web server, all as root...
False, this is NOT the only way. You can do it by setting a TXT DNS record. No files involved. Your server communicates with the registrar through API over an encrypted connection.
> Manual renewal isn't free...
You're not supposed to manually review Let's Encrypt in the first place. The whole point is that you set up cron job once and forget about it.
> HTTPS is a trap: Once you've moved your websites to HTTPS, there's no going back to plain HTTP...
Not true. You can run HTTP version of your website in parallel if you so desire.
> Let's Encrypt is founded on the benevolence of scoundrels: Let's Encrypt isn't free to run, either. Their 2019 operating budget is 3.6 million U.S. dollars. Most of that is donated by… guess who? _Your competitors_[1].
EFF and Mozilla foundation are not my competitors LOL.
You can, but there is no way to force a method. A MitM attacker will choose the file method to get itself a cert for your site - the main argument in the article.
> The whole point is that you set up cron job once and forget about it.
Exactly. (Italics by me.)
>> HTTPS is a trap: Once you've moved your websites to HTTPS, there's no going back to plain HTTP...
> Not true. You can run HTTP version of your website in parallel if you so desire.
But never again HTTP-only. No visitors will load HTTP. Did you actually read the article and the arguments??
> [1]
I'd like to see some numbers before I belive your argument.
So that absolutely no human ever checks the transparency log. I can't even find that log for LetsEncrypt, let alone how to search it for my website's certs.
> The certificates provide no security: The way you verify your identity to Let's Encrypt... you place a file somewhere on your website, and they access > Automatic renewal is insecure: certbot ... downloads a bunch of untrusted data from the web, and then feeds that data into your web server, all as root...
False, this is NOT the only way. You can do it by setting a TXT DNS record. No files involved. Your server communicates with the registrar through API over an encrypted connection.
> Manual renewal isn't free...
You're not supposed to manually review Let's Encrypt in the first place. The whole point is that you set up cron job once and forget about it.
> HTTPS is a trap: Once you've moved your websites to HTTPS, there's no going back to plain HTTP...
Not true. You can run HTTP version of your website in parallel if you so desire.
> Let's Encrypt is founded on the benevolence of scoundrels: Let's Encrypt isn't free to run, either. Their 2019 operating budget is 3.6 million U.S. dollars. Most of that is donated by… guess who? _Your competitors_[1].
EFF and Mozilla foundation are not my competitors LOL.
[1] https://www.abetterinternet.org/sponsors/
>It's bad engineering: When you install a certificate with a three-month expiration...
https://letsencrypt.org/2015/11/09/why-90-days
https://letsencrypt.org/2025/01/16/6-day-and-ip-certs