LetsEncrypt, Paypal and selling fear

People don’t understand SSL/TLS

There is a new report that associates Let’s Encrypt with phishing. So lots of people in Twitter started screaming because they read phishing and Paypal in the same sentence.

Let’s Encrypt is a foundation that gives certificates away for free. Not only that. Let’s Encrypt is trying to make installing and renewing a certificate effortless.

I decided to read the report which is more a blog post.

Apparently the argument of the report is that Let’s Encrypt doesn’t do a proper validation before giving away the certificates. So many sites use the services in what appear to be Paypal phishing sites.

But the report doesn’t say that domain name sellers are not doing proper validation before selling a phishing domain.

But here comes the twist. The blog post appears in a site called hashedout.

Under hashedout’s icon you can see in small letters “by The SSL store”. It turns out that the blog is from a company that sells certificates.

A company that sells certificates creates a report criticising a foundation that gives certificates away for free.Yes. I know that they are different kind of certificates.

In fact the argument is that the certificates they sell are given only after a proper validation.

Anyway, what kind of certificates do they sell?

Cheap!!!

Yeah, a lot of Symantec, Thawte and GeoTrust.

The same Symantec, Thawte and GeoTrust that have been incorrectly emitting certificates (including extended validation certificates, those that have a name in green too) without proper validation.

The same Symantec, Thawte and GeoTrust that are going to be distrusted by at least a major browser.

There is a serious problem with PKI.

But guys, you have a nerve.



First published here