Hacker News new | past | comments | ask | show | jobs | submit login

Is a LetsEncrypt certificate "just as secure" as other certs? I have to imagine the answer is "no" simply because LetsEncrypt is free and the other certs aren't -- what more do you get by paying for a cert?



They are just as secure. Here is an article explaining it deeper: https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...


It used to be you paid because everyone who was trusted by browser manufacturers charged a fee, not because signing a certificate is actually hard or could be done in a "non secure" way. A signature is a signature.

LetsEncrypt signatures are now trusted by the browsers, so there's usually no need to pay for the service.


Thing is, even if LetsEncrypt were less secure (I don't really think it is, but lets assume), that would hurt the security of every website.

If you use a paid CA, someone trying to impersonate you could still go to lets-encrypt and get a certificate there. In other words, the system is only ever as secure as its weakest link. It doesn't matter what link you chose, it matters what link a potential attacker would use.

All of this is because failure of a CA only means false certificates are issued. Its not like lets encrypt ever could get access to any of your private key material.


It is just as secure, you get nothing more by paying.


Nothing of value, but there usually is some (silly, IMO) justification, such as badges and warranty (practically useless). Funnily, Comodo starts its list of key features with "value" [0]. They also seem more expensive now than I remember them to be (hundreds of USD per certificate/year), and still call both X.509 and TLS "SSL".

Sometimes I hear about people just looking for "SSL certificates" because somebody told them that they should have one, and search engines would lead them to those websites; probably that's how it still works.

[0] https://ssl.comodo.com/sslcomodo-ov-wildcard


So for my personal projects, I use lets encrypt. As far as I know (and I could be wrong now, haven't checked in a while) - their certs are only good for 3 months. Which is simple enough to get around - run a script on your box that updates the cert every 90 days automatically.

At work, we use a paid certificate that is good for a longer period of time (normally a year). So that's one benefit to paying, I suppose.

As far as encryption technologies and security, the traffic encrypted by a lets encrypt cert is just as secure as the traffic secured by a paid-for CA signed cert.


The fact that Let's Encrypt certificates expire quickly is a feature, not anything to do with paid vs. non-paid.

Let's Encrypt could have just as easily generated certificates good for a year or more. But the point of Let's Encrypt is to force you to do this in an automated way, using scripts like you suggest.

You're not getting around anything. The choice was by design.

https://letsencrypt.org/2015/11/09/why-90-days.html


They have a built in command for their 'certbot' cli now that you can use to have your certificates update automatically.

(It's been a bit sinse I went through it but I think it may be as simple as a extra flag in the command to generate the inital cert)


Usually you set up auto-renewal with lets encrypt. Easier than remembering to renew every year.


I am sad that this question is down-voted. It seems honest enough, it's slightly off-topic but not dramatically so.

There are two halves to the first answer but they're both "Yes, Let's Encrypt is just as secure".

1. Most elements of TLS security have nothing whatsoever to do with certificates. This is easier to grasp in TLS 1.3 than earlier versions (all the encryption in TLS 1.3 is working before anybody sends any certificates anywhere) but it has always been true.

Even without certificates eavesdroppers can't see what was communicated, and nobody can change it en route between client and server. For these things even no certificate at all would be fine...

Certificates do add a vital thing though: Identity. A certificate from Let's Encrypt is a signed document from Let's Encrypt vouching for the identity of your site. Cryptography (with a "private key") lets you prove this certificate belongs to you and nobody else can do that. Without Identity somebody in a position to be an eavesdropper could just pretend to be you and intercept everything (a "Man in the Middle"). So even though it's a small aspect it's vital.

2. To go around issuing people with Certificates you need some way to know who is who. Until a few years ago there weren't many hard and fast rules about how to do this, and so a lot of rather dubious procedures were used by people who charged a pretty penny. Some of them would argue that charging validated the purchaser but that's not so smart, plenty of crooks are willing to spend money to make more.

So, Let's Encrypt actually helped write actual formal rules for how you can make sure you're issuing certificates to the real owners of the names they're certificates for. These are known as the Ten Blessed Methods, because there were once exactly ten of them and each is a method that the certificate issuer is allowed to use to do this Domain Validation. None of them are utterly foolproof, and there is ongoing work to further improve them or get rid of the least effective ones, but at least now there are written rules.

Having helped write these rules it should be no surprise that though they represent a significant tightening up of things for some of the incumbent for-profit issuers, Let's Encrypt was already doing everything required.

Partly this is actually helped by not taking money for certificates. Since Let's Encrypt doesn't make a profit from giving you a certificate, they've no incentive to do so unless they're sure.

Now: For the second part, I have written lengthy answers elsewhere, there are a lot of reasons you might pay somebody money. None of these reasons make Let's Encrypt any worse, and many of them are real niche cases, you'd know about it if you've hit those. Like if you make web sites for Nintendo's obsolete WiiU video game console - Let's Encrypt doesn't help you because the WiiU web browser doesn't have the right trust store for that. Or if you need S/MIME certificates for your corporate email system for some reason, Let's Encrypt don't offer that. If you need a special relationship with your issuer under contract (like Facebook has) then Let's Encrypt can't help you. And so on. For most people it doesn't matter.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: