> > Also, after you generate and sign the certificate, you don't have > > to keep the script. > > Validity on the letsencrypt CA is 90 days max. (Partly to restrict > usefulness of a bad cert because they don't do CRLs, which are pretty > much useless anyway, and partly to encourage users to automate).
Ugghhh, I was fearing that their automate and security mantra might clash, but they don't seem to mention it up front. 365 days already annoys me especially as I intend to use OpenSSH for anything particularly important and cryptanalysis is not a problem for years on a low traffic site. >> I only care for the anon csv page where you have the ssh host >> keys. The rest of the site can be left unencrypted. Until every UA is changed >> to first try TLS and *only then* fall back to clear text http, this kind of >> measure has its uses. You enforce SSL for data submissions, a user checking keys has to check the domain in any case and hope the browser domain matching code is secure too (yes there has been atleast one firefox bug there) even before considering the DNS system. Let's encrypt as in let's make certificates more widely available is good. Let's encrypt as in all sites should encrypt all connections is actually a negative for any professionally run outfit even when ignoring DOS attacks or servers that don't have AES acceleration or I guess ChaCha/Salsa acceleration in the future. It's main unrealised potential benefit is; add *some* security by default to all those insecure wordpress logins. TLS by default (for idiots) but not everywhere would be sensible/optimal. The method appears to be to eventually use a stick to make it commercially required for most organisations but this hurts the professional outfits. The other alledged benefit is the alledged case that not one trustable ISP is providing service in an area, haha. So use a VPN, as comodo's software offer for free in public networks. I suspect another agenda like control of advertising or selling DOS protection or acceleration services. I'll be glad if akamai stops getting in the way of having some confidence in https checks on windows downloads for example though. -- KISSIS - Keep It Simple So It's Securable
