Why Let’s Encrypt is a Really Bad Idea: Part II

Why I was purposefully ‘less than correct’

I have been in information technology for almost 25 years now. There is a pattern that I have come to believe is almost like the speed of light… always the same, everywhere, an absolute constant.

Tech people and business people talking past each other.

When I wrote “Why Let’s Encrypt is a really, really, really bad idea.” I did two things on purpose: First, I wrote to the non-technical business person as an audience to address what I believe to be the conclusion they draw when they are told they should have an SSL certificate on their website, and that Let’s Encrypt is free and automated. Second, I purposefully was “less than correct” when I said the following:

I did this in the context of the analogy of a lock strong enough to take a bullet, and pointed out that if the bad guy has they key, the size of the lock is meaningless.

Why did I do this? Because after having been around tech for 25 years, I knew exactly what would happen next: The pocket protector set would rise up enmasse with outrage to explain how stupid I am. And that is exactly what happened. And now, with about 205K views on the article, we are all talking about cybersecurity broadly, encryption in particular, but most importantly about how the non-technical business person sees something very different when looking at the same thing we are looking at, because they are looking from a completely different perspective.

Dishonest, you say? Clickbait? That might be fair objection, but inaccurate nonetheless. It would be accurate if I was plugging the business I just bought. But I am not plugging anything other than, as Steve Jobs put it when he spoke to the 2005 graduating class at Stanford: “Don’t be trapped by dogma, which is living with the results of other peoples’ thinking.”

If you want to appreciate the value of different perspectives, listen to this speech and consider how the perspective of a calligraphy class transformed the computer.

The article was provoked by my noticing that every single one of my clients’ sites (the vast majority of which were created before I bought the business) were on Let’s Encrypt. It was also provoked by an audit I just participated in on a well-known SaaS provider. Their production systems were using self-signed certs(!). I immediately threw the BS flag and asked to see documentation on their Key Management System.


What Matters in Cybsersecurity — And What Doesn’t

I was castigated for potentially misleading the reader about the inner workings of encryption. Guess what? It doesn’t matter. Not even a single bit. Non-technical business people simply do not care, nor should they care, about the inner workings of encryption. What they should care about is trust. The best thing we can do for them is help them think about the data they work with, and what it is they trust to maintain confidentiality, integrity, and availability of that data (if such is even necessary). Encryption is not what we trust when we use SSL (or TLS… one response chastised me for referring to it as SSL — a perfect example of the difference between writing for the tech crowd vice the non-technical business person). We trust the Key Management System of the issuing Certificate Authority.

Others have pointed out the Symantec affair and how everything I said can apply to for-profit Certificate Authorities. That is certainly correct, and utterly beside the point of watching everyone piling into a single source of trust. It turns out IdenTrust cross-signs the intermediate certificates used in the Let’s Encrypt chain of trust. This mitigates the risk, but also validates the larger point — which is noticing the risk.

Two former clients of the business I bought have required a rebuild of their sites in part because they believed their site was secure because it had an SSL certificate. This is the unintended consequence of “free” and “automatic” as I argued in the essay; it fosters a “fire and forget” complacency in the non-technical business community.

Lastly, some have responded by saying that personal websites, blogs, etc. are being subject to stigma by Google for not having a certificate. I sympathize with them, and think Let’s Encrypt is a terrific solution. I also agree with what Google is doing… forcing websites to have at least the basics.

If someone has a website, all they really need to do is ask whether their site has any of these three kinds of data: personally identifiable info (PII — even a name + email address may be enough to fall under this category), proprietary information (such as intellectual property or information covered under an NDA), and what I call “Competitive Value” information. This is internal information which, if obtained by a competitor, would disadvantage the company in their market. If the site does not handle any of these kinds of information, then there is no question of what is trusted to protect confidentiality, integrity, and/or availability. Let’s Encrypt is a perfectly suitable option.

I still think Let’s Encrypt is, on balance, a bad idea because:

1) Businesses which do have the above kinds of data are piling into a single source of trust;

2) Free and automated is engendering a fire-and-forget complacency about security; and

3) The not-for-profit model seems to be uncritically accepted as a better model, when it may well not be.

The Startup

Get smarter at building your thing. Join The Startup’s +786K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

John Horst, CISSP® — ISSAP®

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech. https://goo.gl/2z5Snr

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +786K followers.

John Horst, CISSP® — ISSAP®

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech. https://goo.gl/2z5Snr

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +786K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store