Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Security OWASP Top 10 Vulnerabilities Vulnerabilities: Authentication, Access, and Sensitive Data Sensitive Data Exposure

Ben Moore
Ben Moore
22,588 Points
Posted by Ben Moore
Ben Moore
22,588 Points

Let's Encrypt?

I think there should be more thought given towards recommending a Certificate Authority (CA). Doing a bit of research, it appears that there are some serious risks trusting any certificates signed by Let's Encrypt. Because the Let's Encrypt business model offers automated AND free certificates, there is no way to guarantee the quality of the sites they are supposedly "vetting".

Here is a blog post that hits on the very issue (a proliferation of phishing sites with Let's Encrypt certificates): https://www.thesslstore.com/blog/lets-encrypt-phishing/

3 Answers

Anthony Boutinov
Anthony Boutinov
13,844 Points
Anthony Boutinov
Anthony Boutinov
13,844 Points

Let's Encrypt gives certificates that allow users to exchange data securely between client and server. This base layer of protection is absolutely necessary if you have any form of data exchange, be it contact form, user sign in etc.

Besides, some Internet browsers now mark websites without encryption as Not Secure, and search engines will rank such sites lower in search results.

So any certificate is better than none.

David Tran
PLUS
David Tran
Courses Plus Student 12,429 Points
David Tran
David Tran
Courses Plus Student 12,429 Points

there is no way to guarantee the quality of the sites they are supposedly "vetting"

That's the first time I heard something like this. As others pointed out, these certificates provide communications security. Nothing more.

The perception of "quality website" is another topic.

Ben Moore
Ben Moore
22,588 Points
Ben Moore
Ben Moore
22,588 Points

Yes. My point is that with the massive uptick in bad actor sites using free services like Let's Encrypt (spam and all sorts of malware attacks are increasing exponentially year-over-year), if you are starting your own site as a business, you should not seriously consider Let's Encrypt. It could be dropped as a CA in the future because there is currently no barrier to entry -- where for another CA, the script kiddie or scam artist is required to have some skin in the game (because it's not free so they won't have unlimited certs for free). Just as when you get a corporate laptop, they set what CAs they allow. I believe LE is highly likely to be dropped as spam in the future. Just my 2 cents.

andren
andren
28,558 Points
andren
andren
28,558 Points

You act like Let's Encrypt is some rogue CA that somehow slipped past the browser vendors notice, but Mozilla and Google are two of the biggest sponsors of Let's Encrypt. Given that they are literally donating large amounts of money to keep Let's Encrypt alive do you really think they will suddenly decide to drop support for it in their browsers?

Mozilla And Google are certainly no fools, they are fully aware that a service like that will be used for both good and bad, but ultimately they have come to the conclusion that the advantages of making the barrier to entry for SSL as low as possible outweighs the bad that comes from it.

It's also worth mentioning that Let's Encrypt only issues Domain Validation certificates, not Organization Validation or Extended Validation certificates. Domain Validation (DV) certificates are the lowest rank of SSL certificate and the only thing it was designed to prove is that you have established a secure connection to the server that currently owns the domain you are connecting to. Having to prove your identity has never been a requirement to acquire a DV cert, even before Let's Encrypt came along. Proving that you control the server the domain points to has always been the only real technical requirement to get certified.

Because of that ownership of a DV cert was never meant to imply that a website itself was secure and trustworthy or that it is owned by the company it claims to be. It was only meant to communicate that your connection to the website itself is secure. But that has sadly become a common misconception. That is why as Anthony mentioned browsers are now starting to move toward a system where regular sites will be marked as non-secure, and some like Google going even farther by planning to stop marking HTTPS sites as secure all together. That is being done specifically to lessen the misconception that a site having an SSL cert automatically makes it a legitimate and secure website. Which is something that has never been true, even before Let's Encrypt, as acquiring DV certificates have always been relatively easy.

In the future it will likely be rarer for a website to not have a DV cert than to have one, and at that point it doesn't really matter that scammers have easy access to them. As simply having one would no longer afford them any extra credibility over any other random website.

Websites that want to stand out as being secure in the sense of being trustworthy and being backed by an actual company can always purchase Organization Validation or Extended Validation certificates. Which are required to have a lot of barriers to entry put up to verify that you are who you claim to be, and not some random scammer.