[sintaxi]

Good! Encrypt everything.

A valid cert should not be an indicator that the content on a given site is verified to not be harmful. It serves as verification that the content you received came from the domain you requested. The role of Certificate Authorities is not to censor content and never should be.

[burntrelish1273]

Encryption isn't any good if clients and servers can't nonrepudiate the other party.

A web-of-trust overlay, which is non-authoritative, can help against most attacks...

It would make more sense for an international, community-supported nonprofit to take the lead on opt-in, high-confidence identity verification of persons and companies (thorough physical and documentation checks).

Issuing certs to random people without any checks or barriers at all makes it easy for crooks to obtain certs. Comodo/LE are going to have to do some basic checks or major vendors will simply block them until they do.

[toast0]

From my experience, until recently, all a SSL certificate meant is you're competent enough to receive mail for postmaster@, and you have a working credit card. With LetsEncrypt, the bar is even lower.

Given the push for 100% HTTPS, of course scammers are going to get certificates for their sites if the cost is low enough (still higher cost than using a lock favicon, but hey). While a traditional CA might require human review to issue a cert for paypalscam.example.org, they would probably issue *.example.org, so a scammer would just have to pay a little more for the wildcard.

Since LetsEncrypt participates in certificate transparency, a benefit is that paypal can watch for all certificates issued with their name in the hostname, and check if they need to start a takedown sooner than if they wait for reports of phishing.

[bfred_it]

I don't think so. Certificates certificate the domain, not the identity (except for the EV certificates)

The issue here is just the browser identifying the sites as "secure". Technically correct but not in the general sense of "safe that my data won't be misused/mishandled," which can't entirely be verified.

[sintaxi]

Encryption is indifferent to the contents that is being encrypted.

Without encryption there is no way to know if the domain you are visiting is malicious or if you are the victim of a MITM attack. So if I'm being phished I would much rather that connection be encrypted so I can know for certain who is attacking me.

[syncsynchalt]

This is a lot like the pearl clutching that happened when InterNIC started allowing hostnames with vulgar words in them.