Why?
Let's encrypt is free and secure. There is no good reason not to use it.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Why?
Let's encrypt is free and secure. There is no good reason not to use it.
With paid certificates you can target ancient and unsupported operating systems like windows XP and android 2, letsencrypt is relatively recent and it's not present in the root certificates of those systems
Certain unnamed companies cough~google~ doesn’t like to trust Let Encrypt its definitely not an abuse of an illegal monopoly they have good reasons I promise.
But the whole point behind using a signed certificate is that other people can look at you and immediately know you are who you say you are if a company doesn’t trust you it doesn’t really matter what the motivation is you might as well use a self signed certificate.
Paid certificates have the money to make sure everyone trusts them and has a reputation to maintain so are more likely to defend a legitimate complaint.
99.999% of individuals it simply doesn’t matter(although you might have to look into it if you’re using android apps) but to a company the little bit that certification costs is worth every penny.
Most if the internet uses let's encrypt. You are using it right now
If you are just self hosting for your own use, just stick with letsencrypt or self signed certificates.
The paid certificates are for businesses where the users need to trust the certificate. They usually come with warranties and identity verification, which is important if you are accepting payments through your website, but it's just a waste of money for personal use.
What exactly are you trusting a cert provider with and what are the security implications?
End users trust the cert provider. The cert provider has a process that they use to determine if they can trust you.
What attack vectors do you open yourself up to when trusting a certificate authority with your websites' certificates?
You’re not really trusting them with your certificates. You don’t give them your private key or anything like that, and the certs are visible to anyone navigating to your website.
Your new vulnerabilities are basically limited to what you do for them - any changes you make to your domain’s DNS config, or anything you host, etc. - and depend on that introducing a vulnerability of its own. You also open a new phishing attack vector, where someone might contact you, posing as the certificate authority, and ask you to make a change that would introduce a vulnerability.
In what way could it benefit security and/or privacy to utilize a paid service?
For most use cases, as far as I know, it doesn’t.
LetsEncrypt doesn’t offer EV or OV certificates, which you may need for your use case. However, these are mostly relevant at the enterprise level. Maybe you have a storefront and want an EV cert?
LetsEncrypt also only offers community support, and if you set something up wrong you could be less secure.
Other CAs may offer services that enhance privacy and security, as well, like scanning your site to confirm your config is sound… but the core offering isn’t really going to be different (aside from LE having intentionally short renewal periods), and theoretically you could get those same services from a different vendor.
Let's encrypt also don't provide client certificates, or intermediates that allow you to sign them, which really is a shame.
Do EV and OV certs actually provide additional useful? When was the last time you reviewed the certificate of a site you access for non work purposes?
EV certs give you an extra green bar or something along those lines. If your customers care about it, then you have to. If they don’t - and they probably don’t - it’s a waste.
They got rid of that years ago though.
Good to know! I saw that mentioned on some (apparently outdated) Comodo marketing copy as a benefit over LE
I've used Lets Encrypt for years and years, in fact it's been at least 6?. LE with the encryptbot?, automate the entire process, and then completely forget about it until someone posts on Lemmy asking about it.
It's been long enough I've forgotten the proper names of the software and I would have to go back through my notes to recreate it.
Just checked the logs and it's fine.
Don't pay for shit.