Not harsh at all. I understand I am no security expert, bores the heck out of me. Sadly, you shouldn't trust the "experts" to be if that's LetsEncrypt. No one can be trusted apart from yourself when implementing security.
If LE is ran with the following companies, "Electronic Frontier Foundation; Mozilla Foundation; University of Michigan; Akamai Technologies; Cisco Systems"
What makes them all trade worthy, especially when they're all American? Especially after the whole Richard Stallman. Mozilla, maybe because they were netscape. I have more than enough experience working within security to know that.
I've seen SysOps leak DB's, Passwords in plaintext.. and I've seen it from the age of where such didn't exist to where companies are now installing X security appliances to safe guard there networks. I'm not newb, from 2004 to now, counted 15 years of System and Network engineer experience. Fair from experienced but well seasoned.
Why isn't HackerNews using LetsEncrypt, Google, Netflix, Amazon, if promoted as a great thing. Is what I want to know.
HN: Pretty sure their relationship with DigiCert predates LE, why change if the current relationship is functional.
Google: Browser Maintainer that runs entire TLDs, doesn't need a third party, it could just decide to trust itself and 60+% of the market follows.
Amazon: Runs a massive chunk of the internet, it's already MitM'd itself and most other things, doesn't really need a third party for Certs but still uses DigiCert which predates LE and they clearly have a working relationship.
Netflix: See Amazon, HN.
You: Barely exist to the infrastructure of the web as people experience it. Maybe you have a static site you don't care to protect from MitM (could add some malicious scripts or whatever but who cares). Maybe you're a tiny service that offers some 50 users something, their plaintext auth probably shouldn't be readable to just anyone along the network path, but they're not paying you for services so you might not wanna spend much money on that service. Use LE.
Also, if you think LE as a company has the ability to take sites with it if it goes down, you don't really understand Web PKI. At most likely within a year to 3 months you'd need to find a new place if their signatures expire. At worst someone could pretend to be you, but still not read that traffic protected by the old cert.
Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
> Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
Because it's required, I don't know the companies, I can't trust the companies. I just not happy that four companies run the worlds SSL. There should be another technology that caters to such without having to put all the keys in one basket.
> Didn't it just make your job easier and safer for those with slightly less experience?
No. It makes it harder, because your not teaching someone anyone thing you tell them "click here, click that, done"
> Why so salty about LE? Especially from a "seasoned" SysEng? Didn't it just make your job easier and safer for those with slightly less experience?
Because it's required, I don't know the companies, I can't trust the companies. I just not happy that four companies run the worlds SSL. There should be another technology that caters to such without having to put all the keys in one basket.
If LE is ran with the following companies, "Electronic Frontier Foundation; Mozilla Foundation; University of Michigan; Akamai Technologies; Cisco Systems"
What makes them all trade worthy, especially when they're all American? Especially after the whole Richard Stallman. Mozilla, maybe because they were netscape. I have more than enough experience working within security to know that.
I've seen SysOps leak DB's, Passwords in plaintext.. and I've seen it from the age of where such didn't exist to where companies are now installing X security appliances to safe guard there networks. I'm not newb, from 2004 to now, counted 15 years of System and Network engineer experience. Fair from experienced but well seasoned.
Why isn't HackerNews using LetsEncrypt, Google, Netflix, Amazon, if promoted as a great thing. Is what I want to know.