undefined | Better HN

0 pointsvonklaus10y ago0 comments

To be clear, I am massively excited to use Let's Encrypt and plan on setting up SSL for the first time ever when it launches. I am legit broke so I can't afford to pay a lot of money for someone to have an automated process of:

    gpg --gen-key

I was responding to parent, that announcing trust is a werid quirk of the CA model. TBH, that is correct, but I find it more bizarre Let's Encrypt has to be "trusted" by an unknown company that no one really knows anything about. That is the bit I find weirdest.

0 comments

ar010y ago

Although I loved your sarcastic remarks about the cool pictures, I do want to point out that there are two issues with your argument:

a) There is something else that you know about IdenTrust, and that is that your browser vendor trusts them. This is the whole point of this CA thing: in the end you trust whom your browser vendor trusts (with the option of removing CAs for which you disagree). This is far from perfect (especially since the vendors' vetting process can be quite opaque), but it is not nothing - after all, you should trust your browser vendor, otherwise all the encryption of the world can't save you from someone eavesdropping on your websurfing.

b) Your argument can be read (or misconstrued?) to state that it would be perfectly reasonable to trust IdenTrust if they had a 2015-looking, professional website written in Angular and node instead. Which, of course, is not the case as many who entrusted their money to fraudsters with professional looking websites will be able to attest to.

vonklausOP10y ago

You raise some good points, and I totally agree. The thing is, when the drduh Yosemite guide came out (around the time Google dropped CNNIC) I looked into it a bit. I dropped a ton of certs, mostly international ones (about 40) and the only site that broke was Bing.

> you trust who your browser trusts

Exactly, and my OS. But I run Mac and I am sure Windows users can relate, there are over 200 CAs and I have no idea what heuristics can be used to determine whether they are trustworthy. It wouldn't be a big deal except a compromise at ANY means they could fake ANY website.

Now, on a serious note. If you were running node and you had a super clean react front end with a picture of Jamie lee Miller from hackers super imposed over the ghostbusters symbol (responsive using html5 flex boxes) for sure I would trust you with the security for every website I visit.

I just meant the comment more as idem trust looks like a random rent collector who hasn't updated their business model since 1995. As a broker of trust, I find it disconcerting I know fuck all about them and even if I did, there are hundreds more like that. If you have the money, I don't because I am broke, for sure it would be worth $100 for a padlock when a user hits your site. With nothing more to go on than their site though, it looks like they have been on autopilot for 10 years and I can't wait for Lets encrypt to go live.