Selfhosted

Why?

Let's encrypt is free and secure. There is no good reason not to use it.

With paid certificates you can target ancient and unsupported operating systems like windows XP and android 2, letsencrypt is relatively recent and it's not present in the root certificates of those systems

Certain unnamed companies cough~google~ doesn’t like to trust Let Encrypt its definitely not an abuse of an illegal monopoly they have good reasons I promise.

But the whole point behind using a signed certificate is that other people can look at you and immediately know you are who you say you are if a company doesn’t trust you it doesn’t really matter what the motivation is you might as well use a self signed certificate.

Paid certificates have the money to make sure everyone trusts them and has a reputation to maintain so are more likely to defend a legitimate complaint.

99.999% of individuals it simply doesn’t matter(although you might have to look into it if you’re using android apps) but to a company the little bit that certification costs is worth every penny.

If you are just self hosting for your own use, just stick with letsencrypt or self signed certificates.

The paid certificates are for businesses where the users need to trust the certificate. They usually come with warranties and identity verification, which is important if you are accepting payments through your website, but it's just a waste of money for personal use.

What exactly are you trusting a cert provider with and what are the security implications?

End users trust the cert provider. The cert provider has a process that they use to determine if they can trust you.

What attack vectors do you open yourself up to when trusting a certificate authority with your websites' certificates?

You’re not really trusting them with your certificates. You don’t give them your private key or anything like that, and the certs are visible to anyone navigating to your website.

Your new vulnerabilities are basically limited to what you do for them - any changes you make to your domain’s DNS config, or anything you host, etc. - and depend on that introducing a vulnerability of its own. You also open a new phishing attack vector, where someone might contact you, posing as the certificate authority, and ask you to make a change that would introduce a vulnerability.

In what way could it benefit security and/or privacy to utilize a paid service?

For most use cases, as far as I know, it doesn’t.

LetsEncrypt doesn’t offer EV or OV certificates, which you may need for your use case. However, these are mostly relevant at the enterprise level. Maybe you have a storefront and want an EV cert?

LetsEncrypt also only offers community support, and if you set something up wrong you could be less secure.

Other CAs may offer services that enhance privacy and security, as well, like scanning your site to confirm your config is sound… but the core offering isn’t really going to be different (aside from LE having intentionally short renewal periods), and theoretically you could get those same services from a different vendor.

I've used Lets Encrypt for years and years, in fact it's been at least 6?. LE with the encryptbot?, automate the entire process, and then completely forget about it until someone posts on Lemmy asking about it.

It's been long enough I've forgotten the proper names of the software and I would have to go back through my notes to recreate it.

Just checked the logs and it's fine.

Don't pay for shit.