Why Let’s Encrypt Is A Step In The Right Direction Of CyberSecurity
A response to John Hurst’s opinion article claiming LE is a Bad Idea.
A couple of days ago, I read John’s article explaining why, in his opinion, Let’s Encrypt is a bad idea.
You can read that article here:
Why Let’s Encrypt is a really, really, really bad idea…
Did I mention it was a really bad idea???
As I understood from John’s replies to angry comments, the article was designed to arouse discussion around the topic — which he has successfully done. I would have taken a different route to reach his desired effect, but what’s done is done.
The purpose of this article is to explain why John’s argument doesn’t stand, explain why Let’s Encrypt is actually awesome, and then offer a takeaway to the real concern John tried to gain more awareness on.
Let’s begin, shall we?
The fundamental reason why John’s argument doesn’t stand
John links a real concern in the world of cybersecurity to a disastrous event that he claims Let’s Encrypt to be more prone to. Basically, according to John, a hacker could potentially gain access to the private keys of Let’s Encrypt and then fake every website’s certificate.
That leads to phishing websites that claim to be Google or Facebook and try to steal your information by being in the middle between the actual site and your computer.
If you’re not a software engineer and this is a bit harder to understand, think about it as gaining access to the computer of a Hotel Lobby. You can then claim Madonna is at room 74 even though Madonna never checked into the hotel.
John then goes on to claim that Let’s Encrypt fosters a “fire and forget” policy and those who do “fire and forget” their certificates are more prone to hackers gaining access with their response time being deficient. Therefore, in his opinion, a paid certificate has a better chance to keep you alert. Because the certificate authority is a paid-for company, they would take better care of their private keys then Let’s Encrypt (and not because of the apparent burden of manually replacing a paid certificate).
John’s reasoning is like saying that a paid app that does precisely what Waze does care more about securing your information than Waze does just because it’s a paid app.
Whether you think this argument to be either true or false, it doesn’t matter. It’s irrelevant. John’s created a case which has a root misdirection that allows this argument to be discussed. That misdirection is this scenario is more likely to happen because of Let’s Encrypt’s supposed fire and forget policy. Two things you should know:
- It is not default behavior for Let’s Encrypt to “fire and forget.”
- LE certificates are valid for 90 days. Way lower than any paid certificate.
Why would John assume that it fosters fire and forget? Because using LE can be automated, and what developer doesn’t like to automate stuff, right?
The real concern that should have been discussed is the Human element in cybersecurity. Like always, we human beings are the main reason hacking happens. Social Engineering is a whole field of study of how people fall to phishing scams. Kali Linux is a distribution focused on ethical hacking and allows you to replicate said phishing and scams.
Why not say it as it is? We humans have a long way to go towards a bright cybersecurity future. I would have loved to see an article that challenges me to review my cybersecurity habits. I’ve written my fair share of server projects for work in the last couple of years, all of them have used Let’s Encrypt, and none were fire and forget.
Let’s Encrypt is Awesome
I own a few personal websites. None of them hold sensitive information. They are my blogs. All are secured with Let’s Encrypt. Before LE, I couldn’t get ranked on google because I didn’t have a certificate and SSL communication.
People like me are the obvious use case for LE. If you’re a blogger and needs SSL, Let’s Encrypt will work wonderfully for you and will save you lots of money. I mean LOTS of money. Have you seen the pricing of paid certificates?
Let’s Encrypt is a step in the right direction. Without it, a lot of people would not be able to share their beautiful websites with the world as Google will either not rank them at all or rank them way lower than other secure sites. Just for not having SSL.
The internet is more secure because of LE, and that’s a fact. That is a good thing because that was their mission from the start.
Let’s Encrypt allows you to be automated because it works as a script. Linux scripts can be automated and scheduled to your heart’s desire. That is ‘fire and forget’ only if YOU let it. What you can do instead is set up a reminder in your calendar to the day of the renewal to verify it. You know what? LE even handles that for you. If you’re putting your email address when signing a new certificate with LE, you will get an email when it’s about to expire.
As you can see, you have ample opportunity to fire and forget, but you also have enough tools to keep track of your certificates. John’s right to raise concern on automating and forgetting. It’s the last thing you want to do if you’re going to be swift on security. But not at the expense of LE.
Let’s encrypt is excellent. Don’t let anyone tell you otherwise.
So what is the takeaway?
John’s article tries to raise awareness to fire and forget policy by blaming Let’s encrypt for being an easy and free solution that allows software developers to automate and forget about it, claiming that if LE’s private key were to be compromised, a lot of sites would be threatened. In reality, if any certificate authority would have been compromised, it would be disastrous, not just LE.
He mainly gives this article as the response to people who reply to him but fails to mention that all of the exploits in that article happened to the paid certificate authorities.
John’s intention is the right one. We shouldn’t fire and forget. We live in a time where cybersecurity is becoming more and more critical. When you have a paid certificate, it can’t be replaced automatically. When you use LE, you can automate it.
So please, take a moment to check your certificates. Have you automated your certificate a while ago? It’s time to change that behavior. Put a reminder to check on things.
Just don’t assume that an excellent tool like Let’s Encrypt is responsible for mistakes that are clearly of human nature.
Oren Cohen is a Software Development Engineer, Gamer, Geek, and Writer. He is writing in all sorts of topics on Medium, though his passion lies with Fantasy and Video Games.