It saves me from the implementation details, this way I don't need to wear another engineer/sysadmin hat. I think the website content is more important than the SSL implementation!
Indeed! It's how security should work, and should be the default dual-goal of any piece of security software: provide as much security as possible to as many people as possible.
Having people do things without understanding what exactly they are doing is a good way to create a website with a very good ssl certificate and their private key available on the website itself… or similar issues.
Downside existed before Let's Encrypt, it just got amplified with it.
General public does not differentiate between the SSL certificate validation level.
Let's Encrypt provides domain validation certificates, which only validates that one owns the domain in question.
There is another level - Organization Validation SSL certificates, which involves manual checking that this is the legal entity it claims to be. I would expect the financial institutions to use this kind of certificates to avoid phishing, but sadly I've seen some of them use Let's Encrypt.
Browsers don't differentiate between the SSL certificate validation level. Because it has been shown that the higher validation levels aren't actually significantly more secure, so the distinction is pointless.
I don't think this is an issue with LE or the implementation. Maybe we need different policies for such organizations, but this is for sure not a LE issue
As someone that supports Let's Encrypt's efforts and playing devil's advocate, I imagine a downside is that the bar is lowered and nefarious websites can easily get SSL-equipped channels compared to the high paywall of prior.
Commercial CAs verify exactly two things: Administrative control over a domain name and a working credit card number.
Let’s Encrypt only gets rid of the latter, and given that fraudsters able to spoof the former can probably spare the $10 for the latter, I‘d argue that this is a good thing.
Before Let's Encrypt there were all kinds of bullshit CAs that would distribute secure sites "seals", and lie all over the internet on how those meant anything.
All of that noise is gone now. That makes the internet much safer.
My guess is a misunderstanding of how easy it is to get a credit card to make a payment. This hasn't gotten any easier, so there truly is no downside at this point, unless people automatically think a SSL means a site is trustworthy. I think that's just education, and is likely to come into public consciousness the longer secure sites are pushed as the default.
It meant a paper trail via CC payments (though fraudsters were likely to use stolen CCs, and they probably needed a CC to buy the domain name in the first place). But yeah it's basically not fundamentally different.
Ok I get not wanting to pick on the guy, but is that really reasonable? Engineering is about solving problems by designing/implementing systems. The more you know about the system(s) you're working with, the better the solutions you can build. Even if you're "just" working at a high level and maximally specialized to a single niche, not knowing how the underlying parts work will really limit you.
Pick the brain of any accomplished engineer, and you'll quickly see that the technical knowledge they use to write code on a day to day basis is only the tip of the iceberg.
It's not reasonable to expect everyone to know everything all the time, but I don't agree people should be aspiring to just know the bare minimum either. Mediocrity is like gravity: if you don't (at least occasionally) aim higher, your trajectory will be lower than you want.
Or maybe we should just avoid judging people based on what they do and don't think is worth their time learning, especially when all we know about them is a previous job title and a short message on an internet message board?
I mean, c'mon, it takes quite a bit of arrogance to condemn someone for some little facet of their life when you know next to nothing about them.
Right obviously very few people will be deep experts on the nitty gritty details of any particular thing, but it's weird to work with computers and not have a broad high-level understanding of something as crucial as TLS and PKI.
I think there are a lot of perfectly good programmers who work at the level of the web stack, but couldn't set up a web server with TLS to save their life. There's nothing wrong with that, and suggesting that there is, is just a form of technology elitism and gatekeeping.
This isn't about being able to. I've love to setup machine learning but lack the understanding. It's about taking pride in not having to learn.. taking pride in not having to understand how things work.
Technology shouldn't be a blackbox and shouldn't be celebrated as such.