Hacker News new | ask | show | jobs
by usernam 3149 days ago
Not answering the concert regarding CT (I concur).

But the obvious answer for truly secure connections is your own CA root or a self-signed cert you manually install/enforce.

You don't want to pass through another CA if your service is private. You actually don't need to. In fact, you'd want to manually enforce a single root or distrust system certificates entirely when doing so to avoid the problem you describe.

Most decently-written software that supports SSL/TLS allows you do that.

The CA system is for services that you intend to make public.
1 comments
y0ghur7_xxx 3148 days ago
> But the obvious answer for truly secure connections is your own CA root or a self-signed cert you manually install/enforce.

> Most decently-written software that supports SSL/TLS allows you do that.

Unfortunately maintaining your own CA and installing it on all your devices is no easy feat. On android it's not even possible without root, and most IoT devices are not "decently-written". So what you say is true on paper, but delegating your CA to an external service like letsencrypt is unfortunately the only doable way as things are now.

link