I was only adressing this specific snippet
Quote:
|
Originally Posted by Nisto
And it's still better than no security.
|
with this part of my message.
Quote:
|
Originally Posted by LiquidAcid
That is why I kinda disagree with Nisto. No security is better than the false sense of security, which is deceiving and dangerous.
|
This is independant of the Let's Encrypt or even SSL/TLS context for me. And I still stand by this. Don't just adopt something because it advertises itself with security, but properly evaluate first if this is really the case.
Is it with Let's Encrypt? I don't know, and honestly it's not me who decides who to trust in this case.
Anyway, the aforementioned fake cert issue to allow man-in-the-middle attacks can also happen here. You need to trust them that they really keep their root CA offline (
reference) and secure. Also I'm well aware of VeriSign and their dealings. In my opinion the whole SSL system with CAs is a broken mess, not so much because of the algorithms involved but more because it doesn't properly handle the (corrupt) human factor.