| > There used to be a time when malicious websites usually didn't have encryption at all, or if they had, their certificate was self-signed. Let's Encrypt changed that. Now every malicious site has a certificate that appears trusted, and there will soon be a need of having different levels of "trust", where free-of-charge certificates like the ones from Let's Encrypt will become essentially untrusted. First off, this grossly misunderstands what a certificate does. All it does is prove that your browser is having a private conversation with the remote server. The remote server might be evil, but that's not what a certificate solves. Malicious sites didn't have valid certs because certs used to be overpriced and the people that ran them wanted to minimize the paper trail as much as possible. > Self-signed certificates used to be considered fine, but now every mainstream browser shows a scary warning before entering a site with such certificate. The same will happen to the certificates from Let's Encrypt You're jumping to quite the conclusion. Let's Encrypt is such a huge part of the Internet now that I don't think browser vendors could decide to just stop trusting their certs. Even if they did, another free certificate vendor would appear and we'd be back at square one. > Phishing websites also did not have lookalike domains before unicode characters were allowed in domain names. Factually incorrect. I have to be honest, this feels like a troll post. There's so much misinformation, misunderstanding, and unrealistic expectations that I can't take it seriously. What you're asking for is dangerous and would lead to massive amounts of data compromise. |
> Let's Encrypt is such a huge part of the Internet now that I don't think browser vendors could decide to just stop trusting their certs. Even if they did, another free certificate vendor would appear and we'd be back at square one.
I wonder how come every large provider out there doesn't have their own free certificates in an attempt to compete with Let's Encrypt, get a piece of the free cert market share and possibly upsell their premium services in the process?
The only viable alternative to Let's Encrypt that I personally know of appears to be ZeroSSL: https://zerossl.com/
Though from what I can tell, they have a 3 free cert limitation, at least when provisioned through the website. Which actually seems like a decent attempt to encourage people to pay for their other products (and things like wildcard certificates).
Sure, many might just stick with Let's Encrypt, but why isn't every vendor out there doing the same thing?