On Tuesday, 1 June 2021 12:40:28 BST Michael Orlitzky wrote: > On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote: > > It's not that easy to do it with internal-only systems as Let's Encrypt > > requires the hostname to be known externally. > > And there are plenty of devices you do not want the whole internet to know > > about. > > And in this situation LetsEncrypt does nothing but make security worse: > > * You have to trust the entire CA infrastructure rather than just your > own CA. Many of the CAs are not just questionable, but like the > governments of the USA and China, known to be engaged in large-scale > man-in-the-middle attacks. > > * The LetsEncrypt certificates expire after three months, as opposed > to 10+ years for a self-signed certificate. You're supposed to > automate this... by running a script as root that takes input from > the web? I'd rather not do that. > > * LetsEncrypt verifies your identity over plain HTTP (like every other > commercial CA), so it's all security theater in the first place. > > There are plenty of arguments against LE even for public sites, but for > private ones, it's a lot more clear-cut...
So what would you recommend for someone in the case Joost cites? I'm in that position, being a home user of a small network but no registered Internet name. -- Regards, Peter.
