Why Let’s Encrypt is a Really Bad Idea: Part II

Why I was purposefully ‘less than correct’

I have been in information technology for almost 25 years now. There is a pattern that I have come to believe is almost like the speed of light… always the same, everywhere, an absolute constant.

Tech people and business people talking past each other.

When I wrote “Why Let’s Encrypt is a really, really, really bad idea.” I did two things on purpose: First, I wrote to the non-technical business person as an audience to address what I believe to be the conclusion they draw when they are told they should have an SSL certificate on their website, and that Let’s Encrypt is free and automated. Second, I purposefully was “less than correct” when I said the following:

“You can suck up all of that traffic — and if you have the private keys from a CA like Let’s Encrypt you can decrypt the traffic from sites using their certificates.”

I did this in the context of the analogy of a lock strong enough to take a bullet, and pointed out that if the bad guy has they key, the size of the lock is meaningless.