letsgetreal

@[email protected]
0 Followers
0 Following
4 Posts

This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
Officialhttps://
Support this servicehttps://www.patreon.com/birddotmakeup
Show threadletsgetrealDec 10

Nothing mentioned will help for a website with a Let's Encrypt SSL cert. How can I know with confidence that I can conduct commerce with this website that purports to be the company and it's not a typo squatter from North Korea? A google search doesn't cut it. Nothing in this thread has answered that basic question.

It's a non-issue for DigiCert and Sectigo certs. I can click on the certs and see for myself that they're genuine.

Show threadletsgetrealDec 9

The "most people won't care argument" doesn't inspire confidence in the authenticity of the website.

It's essentially a self-signed cert that anyone could make with the false security of a root certificate authority.

Show threadletsgetrealDec 9
FIDO2 doesn't solve the first website contact trust problem - only the HTTPS certificate does that.
letsgetrealDec 9
Let's Encrypt allows anyone to have secure https communication, sure, but it doesn't address the question of website authenticity. I groan when I'm on an e-commerce site and I click on the browser URL lock icon and see a Let's Encrypt certificate because frankly anyone can create one for no cost and I don't know if it's the real website or if I made a URL typo. Say what you will about the expensive cert providers, but it's reassuring when you see DigiCert or Sectigo - with a company name and the address of the head office.