[otachack]

As someone that supports Let's Encrypt's efforts and playing devil's advocate, I imagine a downside is that the bar is lowered and nefarious websites can easily get SSL-equipped channels compared to the high paywall of prior.

[lxgr]

Commercial CAs verify exactly two things: Administrative control over a domain name and a working credit card number.

Let’s Encrypt only gets rid of the latter, and given that fraudsters able to spoof the former can probably spare the $10 for the latter, I‘d argue that this is a good thing.

[marcosdumay]

Before Let's Encrypt there were all kinds of bullshit CAs that would distribute secure sites "seals", and lie all over the internet on how those meant anything.

All of that noise is gone now. That makes the internet much safer.

[the_optimist]

What is the downside of this?

[progmetaldev]

My guess is a misunderstanding of how easy it is to get a credit card to make a payment. This hasn't gotten any easier, so there truly is no downside at this point, unless people automatically think a SSL means a site is trustworthy. I think that's just education, and is likely to come into public consciousness the longer secure sites are pushed as the default.

[CodesInChaos]

A plain domain validated certificate cost like $10 for a year or two. So roughly the same cost as the domain name. Hardly a "high paywall".

[HideousKojima]

It meant a paper trail via CC payments (though fraudsters were likely to use stolen CCs, and they probably needed a CC to buy the domain name in the first place). But yeah it's basically not fundamentally different.

[kelnos]

Don't most domains cost $5 or less? I think it's pretty outrageous to have to spend 2x (or more) of the domain name cost to secure connections to it.

[manuelmoreale]

Not sure where you found that figure but most domains definitely don’t cost 5 or less. Most domains are 10+ in my experience.