What is a Trusted CA?
This post is going to be inspired by the Kingsman : The Secret Service. In a nutshell; Samuel L Jackson’s character gives out Sim cards with unlimited minutes, text and internet. The Kingsman realise the simcards contain a payload which enables people close the associated phones which turns all of the users into killers.
Users do not question why Samuel L Jackson is giving out these sim cards, they see it as a good deal.
Is this happening in 2016? is there a company providing a free service which other companies charge a small premium for?
Let’s Encrypt was released in March 2016, it has an ethos of encrypting the entire web. The certificates are very easy to install and the root CA is currently installed into Chrome browsers, but plan to be installed into Firefox within Q4 of this year. However, are they a trusted CA? What makes a CA a Trusted CA. Is a company that gives a premium service away for free a trust worthy company? Or do they have a hidden agenda.
By all means, this post is not saying Let’s Encrypt are going to start turning all their web users into Killers, or even they have a hidden agenda for that matter. However, in a world where Governments are loosing the battle of encryption. How better to intercept all of the encrypted communications other than to become a Trusted Certificate Authority themselves?
Those of you who have looked into Let’s Encrypt, found they are partners with lots of blue chip partners such as : Cisco, Facebook, Mozilla and they are apart of the open source Linux foundation. Some of you may decide to trust them based on their credentials mentioned on their websites. However, it is important to remember trust is between two distinct parties. Just because I share my secret with a friend I trust, and they share that secret with their friend who they trust. It does not mean I trust the third friend.
In terms of the CA, just because lots of developers trust Let’s Encrypt it is still important to make your own judgement based on the facts available.