It sounds like your argument against Let’s Encrypt is essentially: “A for profit company has more to lose from an inside hacker compromising their private keys.”. This seems like quite a weak foundation.

First, the potential impact to a CA of a breach would not stop your theoretical insider’s as their goal is to obtain the keys, not protect the company. If anything the downfall of a company would be a trophy for them.

Second, it is an insult to those working on Let’s Encrypt to say that, basically, they don’t care as much because it’s a free service. The founding principles of Let’s Encrypt are to secure the internet. That is their main purpose, their entire reason for existing. What’s the main driver for a commercial CA? To make money and maximise profit, above all else.

There are employees working at Let’s Encrypt who, like most of us, depend upon their salary to live on, which tends to be a motivator for good work.

Regardless of salary, free does not equal inept. There are many organisations that rely on incredibly motivated volunteers to provide incredible services, including volunteer fire fighters and medical providers.

Lastly, you make it sound like Let’s Encrypt is just a couple of guys in their bedrooms who have nothing to lose. The involved parties and members of the Let’s Encrypt board include people from Google, Cisco, Akamai, EFF and Mozilla, to name just a few. If that’s not enough reputational involvement for you then I have no idea what is.

Written by

Solution Architect based in Oslo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store