Why Let’s Encrypt is a really, really, really bad idea…

Did I mention it is a really bad idea???

UPDATE: When you’re done reading this, make sure to read my answer to my many critics. This also provoked a well-written response. In turn, I explain the value of an Extended Value SSL/TLS certificate.

Your web site’s ability to rank in Google search results is now a function of whether you use Secure Sockets Layer (SSL). Or to put it another way, whether you have it addressed at an URL starting with “https”.

In an effort to promote the use of SSL across the web, industry participants have formed Let’s Encrypt, a service provided by the Internet Security Research Group. The service has taken off, with major hosting providers creating tools to automatically create SSL certificates and install them on hosted sites. Sounds like an advance in cyber security, right?

Uh…, maybe not?

Cipher Strength, Key Management, and the “Threat Surface”

The heart of encryption is the encrypting key. Imagine for a moment you have a real-world lock big and strong enough to withstand a 50 caliber rifle shot. What good is that if the bad guy ends up with the key? The digital analogy is the cipher strength of the certificate used to encrypt…