Why Let’s Encrypt is a Really Bad Idea: Part II
I have been in information technology for almost 25 years now. There is a pattern that I have come to believe is almost like the speed of light… always the same, everywhere, an absolute constant.
Tech people and business people talking past each other.
When I wrote “Why Let’s Encrypt is a really, really, really bad idea.” I did two things on purpose: First, I wrote to the non-technical business person as an audience to address what I believe to be the conclusion they draw when they are told they should have an SSL certificate on their website, and that Let’s Encrypt is free and automated. Second, I purposefully was “less than correct” when I said the following:
“You can suck up all of that traffic — and if you have the private keys from a CA like Let’s Encrypt you can decrypt the traffic from sites using their certificates.”
I did this in the context of the analogy of a lock strong enough to take a bullet, and pointed out that if the bad guy has they key, the size of the lock is meaningless.
Why did I do this? Because after having been around tech for 25 years, I knew exactly what would happen next: The pocket protector set would rise up enmasse with outrage to explain how stupid I am. And that is exactly what happened. And now, with about 205K views on the article, we are all talking about cybersecurity broadly, encryption in particular, but most importantly about how the non-technical business person sees something very different when looking at the same thing we are looking at, because they are looking from a completely different perspective.
Dishonest, you say? Clickbait? That might be fair objection, but inaccurate nonetheless. It would be accurate if I was plugging the business I just bought. But I am not plugging anything other than, as Steve Jobs put it when he spoke to the 2005 graduating class at Stanford: “Don’t be trapped by dogma, which is living with the results of other peoples’ thinking.”
The article was provoked by my noticing that every single one of my clients’ sites (the vast majority of which were created before I bought the business) were on Let’s Encrypt. It was also provoked by an audit I just participated in on a well-known SaaS provider. Their production systems were using self-signed certs(!). I immediately threw the BS flag and asked to see documentation on their Key Management System.
What Matters in Cybsersecurity — And What Doesn’t
I was castigated for potentially misleading the reader about the inner workings of encryption. Guess what? It doesn’t matter. Not even a single bit. Non-technical business people simply do not care, nor should they care, about the inner workings of encryption. What they should care about is trust. The best thing we can do for them is help them think about the data they work with, and what it is they trust to maintain confidentiality, integrity, and availability of that data (if such is even necessary). Encryption is not what we trust when we use SSL (or TLS… one response chastised me for referring to it as SSL — a perfect example of the difference between writing for the tech crowd vice the non-technical business person). We trust the Key Management System of the issuing Certificate Authority.
Others have pointed out the Symantec affair and how everything I said can apply to for-profit Certificate Authorities. That is certainly correct, and utterly beside the point of watching everyone piling into a single source of trust. It turns out IdenTrust cross-signs the intermediate certificates used in the Let’s Encrypt chain of trust. This mitigates the risk, but also validates the larger point — which is noticing the risk.
Two former clients of the business I bought have required a rebuild of their sites in part because they believed their site was secure because it had an SSL certificate. This is the unintended consequence of “free” and “automatic” as I argued in the essay; it fosters a “fire and forget” complacency in the non-technical business community.
This is is not their fault for not understanding; it is our fault for crowding into the same perspective, congratulating ourselves on how smart we are, and looking down on all those poor, non-technical folks…. who are just trying to run the businesses that end up funding our paychecks.
Lastly, some have responded by saying that personal websites, blogs, etc. are being subject to stigma by Google for not having a certificate. I sympathize with them, and think Let’s Encrypt is a terrific solution. I also agree with what Google is doing… forcing websites to have at least the basics.
If someone has a website, all they really need to do is ask whether their site has any of these three kinds of data: personally identifiable info (PII — even a name + email address may be enough to fall under this category), proprietary information (such as intellectual property or information covered under an NDA), and what I call “Competitive Value” information. This is internal information which, if obtained by a competitor, would disadvantage the company in their market. If the site does not handle any of these kinds of information, then there is no question of what is trusted to protect confidentiality, integrity, and/or availability. Let’s Encrypt is a perfectly suitable option.
I still think Let’s Encrypt is, on balance, a bad idea because:
1) Businesses which do have the above kinds of data are piling into a single source of trust;
2) Free and automated is engendering a fire-and-forget complacency about security; and
3) The not-for-profit model seems to be uncritically accepted as a better model, when it may well not be.