Chris… I think you’ve missed a couple important points: First, if a blog site has no information needing protection I have said LE is perfectly fine. My objection is to representing to businesses that LE “secures” their website. It clearly does not.

Secondly, both for profit and not for profit models have their strengths and weaknesses. For profit models can incentivize cutting corners. Not for profit models can incentivize laziness. I sought to point out the weaknesses in the not-for-profit model. Again, LE is just as convenient for criminal intent as it is for legitimate intent.

My article explaining the value of Extended Validation (EV) certs is based on domain spoofing — an emerging challenge in cyber security.

Here’s a real world example: My company (and I am not identifying it because I do not want to be accused of cheaply trying to attract marketing attention to it) is renewing its cert right now. We are in the process of validating the org for an EV cert. The original DV cert expired yesterday. So I temporarily fired off an LE cert to keep the site encrypted. LE is perfect for my needs right now — a transitional period of a week or so until the EV cert validation is complete.

Now, you might complain my headline is a bit sensational in that context. Fair criticism… But I think you’ll agree that if I wrote a “technically sound” article, no one would have read it. Instead, I opened myself to a heap of ridicule (on purpose) so we could have a substantive discussion on the difference between encryption and trust.

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store