|
|
|
|
|
|
by amfsn
2520 days ago
|
|
|
That's what they wanted when they pushed Let's Encrypt. https meant something before, since a certificate was expensive and required proof of identity. Yes, those methods weren't infallible, but they were good enough. Now we've lost that with free https. |
|
|
Certificates weren't expensive before Let's Encrypt, several outfits offered free certificates, especially on a "trial" basis that would be adequate for criminals even if it was largely useless to legitimate users.
But expensive certificate were, and still are, available to those with the Apple mindset. DigiCert will sell you a certificate for $218. Lasts 12 months.
And you're probably thinking: Right, that's a _proper_ certificate, that'll assure me of who bought it, and it comes with true security and all this amazing stuff. Nope, that's the same DV assurance that Let's Encrypt gives away, except DigiCert gets $218 of your money, and why not?
If there's a guy wants to buy one glass of water from me for $100 who am I to insist drinking water is free?
Anyway, no, certificates did not require "proof of identity" prior to Let's Encrypt, in fact back then they only required that the CA use "Any other method" a term of art in the rules that meant the CA could use its own best judgement (perhaps clouded by commercial considerations) to decide what was enough to be sure you controlled example.com before issuing you an example.com certificate.
_After_ Let's Encrypt, and with substantial input _from_ key Let's Encrypt people this was reformed to the Ten Blessed Methods (there are not actually ten of them today, but I like that name and it seems to have stuck) in which there are explicit methods defined for how a CA must check that you control the DNS names you want certificates for.
You are living in an all too common fantasy world. A world where you needlessly spend more money to achieve less security because you don't want to be confronted with facts.