I am going to write a follow on titled “Why Let’s Encrypt is a Bad Idea… Part II. We’ll see what Medium does with it, but here is what I am going to explain:

  1. I just bought a web design business. Probably over 100 clients over the past few years, and every single one is on LE. I carry cyber insurance so I will be looking closely at what kinds of data these clients work with and on that basis be recommending certain security steps. Because I know that the KMS of the CA is the real object of trust, not the cert or the cipher, I immediately see risk having ALL of my clients on ONE CA.
  2. I just got done helping two clients rebuild after being hacked from work done prior to me buying the business. Both thought they were secure because they had an SSL cert. You and I both know there is a lot more to security than that. LE’s approach has an unforeseen consequence — complacency on the part of non-technical business people. I am writing for them.
  3. I was purposefully less than correct in how I explained PKI — because the point was not to explain PKI. The point of purposefully being less than correct was that, after having done this work for over 20 years, I knew exactly what would happen — the pocket protector set would be triggered with outrage. The result? That article is pushing toward 100K views now…
  4. Everyone is reading/talking encryption, trust, cyber security, etc. If I have to trigger a heap of ridicule to get the pocket protector set to think outside their bubble, well… OK.

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store