Why I won’t use Let’s Encrypt ¶
Once there was a massive amount of text answering that question. But I
striped all of it and just left brief list:
- All my websites have HTTPS for a long time. Just not forced to be
used. Why should they? Because Google said so, I see.
- My X.509 certificates are valid. But we may have different trust
anchors and rules to check their validity. People live in various
jurisdictions and countries, so how can it be possible to have
single trusted entity?
- DV-certificates are a false sense of security, not preventing your
your sessions MitMing
(look how
jabber.ru was successfully MitMed). Often mentioned
Certificate Transparency just helps to detect already happened
injury.
- But it could still be useful to remember and pin used public key on
first connection (TOFU, like in OpenSSH and OpenPGP). It does not
matter what exact CA (if any) was used during certificate creation.
- Why should my online resources (in)security depend on decisions of
USA (or NATO) based organisation? I am citizen of Russian
Federation, work for sanctioned (from USA point of view)
organisations, tend to visit other sanctioned countries and freely
move on territory of my country (all of that is prohibited from
western point of view).
- I used to use CAcert. But people
still complained that their default software (Microsoft, Google,
Apple platforms, ...) neither had its certificate, nor any other
free CAs, except for the, suddenly appeared and immediately trusted
by them, Let’s Encrypt.