Let's Encrypt -- now directly trusted by all major root certificate programs


zoggy

Recommended Posts

  • 5 months later...
  • 5 months later...
6 hours ago, Fiservedpi said:

I was reading an article that was blasting LE since it has no actually accountability pretty interesting  "Nobody loses anything; there is no “skin in the game.”

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

the implication that because it is a not for profit organization, and therefore can fail with "no accountability" is laughably absurd. The NFL was a non profit until 2015, and they seemed to have accountability before that time.

 

 

  • Like 1
Link to comment
18 hours ago, Fiservedpi said:

I was reading an article that was blasting LE since it has no actually accountability pretty interesting  "Nobody loses anything; there is no “skin in the game.”

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

I don't think the writer was "blasting" LE. I think you took his point out of context (trust me, I had my pitchfork ready but I put it back after reading the article).

 

Here is how I understand the article main point

  • LE is issuing widely-accepted certificates for free -> LE will win more market share
  • Fragmentation is good for security cert market (that's a good point statistically, if a market participant is hacked, the more participants there are, the less likely it would affect you)
  • LE wins more market share and potentially dominating the market, is therefore not good
  • LE therefore needs to demonstrate accountability, which the writer can't see.
  • He then provide why he thinks such accountability isn't demonstrable i.e. LE is non-profit so it does not suffer from any financial damage if it's hacked
  • He then went on to conclude with 3 points as to why paid solutions (and insurance) are still superior for "businesses"

It's easy to attack the red point out of context but one needs to consider the implication of the lack of accountability. The NFL NPF status is a terrible comparison in the LE context in my opinion.

  • The NFL main product is its games. If the games are hacked and you know the Patriots will always win the Super Bowl, what's the worst that can happen? I would be happy until the next season and most of the rest of the fans will be upset.
  • The NFL games are also NOT free. God knows how much beer I had to stop drinking to afford the ability to watch the NFL this side of the pond.
  • The NFL is also not the most dominant player in the global sports market. You go to Spain and ask people about the NFL and they most likely will reply with ¿Qué? You go to China and ask people about the NFL and they most likely reply with 什么?.

LE, in contrast, issues free certificates globally for anyone that cares. I'm not saying that's a bad thing! The bad thing is, what if LE is hacked, what's the worst that can happen?

 

The writer basically asserted that if you are a business, i.e. you are bearing actual financial risk, don't buy a free product without knowing what you have gotten yourself into.

It's similar to sayings such as "there is no free lunch" or "if it seems too good to be true, it probably is" etc.

 

Link to comment
5 minutes ago, testdasi said:

The NFL NPF status is a terrible comparison in the LE context in my opinion.

 

It's actually quite accurate because you don't understand the structure of the NFL. The NFL home office was not for profit and still had accountability by way of the franchises (teams), which utilize their services for profit.

 

There are companies (mainly hosting) that make money directly from using LE services and offering them to customers. Those companies have a direct interest in making sure the service works well and is secure, otherwise it reflects poorly on them and their revenue stream. Same as the NFL.

Link to comment
15 minutes ago, 1812 said:

 

It's actually quite accurate because you don't understand the structure of the NFL. The NFL home office was not for profit and still had accountability by way of the franchises (teams), which utilize their services for profit.

 

There are companies (mainly hosting) that make money directly from using LE services and offering them to customers. Those companies have a direct interest in making sure the service works well and is secure, otherwise it reflects poorly on them and their revenue stream. Same as the NFL.

I do understand the structure of the NFL. The NFL non-profit status - and I'm paraphrasing Roger Goodell - was a tax-distributing mechanism to allow the teams to pay for their applicable level of taxes (which differ depending on where the teams are located). By that fact alone, the NFL does not qualify as a non-profit because it distributes its income back to its members so they can pay taxes elsewhere. The NFL owners simply exploit a US tax loophole that somehow allows "professional football leagues" to be exempted (but not professional basketball leagues e.g. the NBA, which has never been tax-exempt).

 

LE, in contrast, issues free certificates to the public. There is no income to distribute because LE's product is free and thus generates no income.

I can even flip your point back and ask "what will LE members do if LE is hacked and its reputation damaged to smithereens"? Most likely they will simply sell "Pro" tier product that is more secured than LE. Want to sue LE for compensation? Hey LE cert was free, remember? Want to sue LE members? Have you heard of "limited liability"?

In short, associated products that can be sold in connection with a main product cannot be used to explain away the need for accountability on such main product.

 

Anyhow, back to my main point, that the writer's (valid) main point was ignored and overshadowed by 1 section that was taken out of context.

If anyone wants the TL;DR, read the "Three Takeaways" section at the end.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.