Let's Encrypt is for encryption!

… and not for validating a website's identity!

Seriously, I love Let's Encrypt and the idea of providing free TLS certificates (e.g. for HTTPS) and to automatically renew them. In my opinion, there is no reason not to use it when you just want to secure your traffic using TLS encryption.

I often heard that Let's Encrypt provides "false security" because everyone who owns a domain can create as many certificates as they want, even if your intentions are bad. And the lock symbol in the browser's address bar makes people think that the site is trustworthy.

Yeeeessss… I see the point, but that's not a problem of Let's Encrypt! The purpose of Let's Encrypt is to bring TLS (and thus HTTPS) to the masses! Let's Encrypt allows you to encrypt your traffic using TLS - no more, no less. The purpose is not to prove a website is trustworthy! If you really want to prove that you are a trustworthy and really existing organization, you need a higher validation level. Also domain-validated certificates existed long before Let's Encrypt - Let's Encrypt's certificates are nothing else than automatically validated domain-validated certificates.

Just keep using Let's Encrypt. There is no reason not to do so. Don't let people tell you Let's Encrypt's certificates are no real certificates. If you just want to encrypt traffic using TLS, you're fine.

Published on 2022-07-27, 19:50 +0000