Daniel Pocock Brought Back the Site of Let's Encrypt's Founder and Proved That Let's Encrypt Does Not Verify Authenticity
Let's Encrypt (part of Linux Foundation, hostage of GAFAM) and other prominent CAs may say it's "cheap" or "free" to get a 'valid' certificate (well, valid as in "OK" from their own and subjective point of view, till they change their minds). There's something dangerous about this cartel or cabal of so-called "trust" (chain thereof). Like Mastodon's secret blacklists for "the Fediverse", constituting authoritarian groupthink. Does a site with a "certificate" or some bytes from Let's Encrypt signal that it's safe? That it is authentic? No. Any malicious site, even a site that serves malware, can get a certificate from Let's Encrypt.
So what does that even accomplish or signal? Is that any more about security than "secure" boot is? It's good at locking people out of their own PC, even when nothing is wrong with the PC (or server [1, 2]).
Now that Peter Eckersley's site is back online it's a good time to revisit his "child", Let's Encrypt, which is slipping away in Geminispace. 2 days ago only 42 capsules were known to be using Let's Encrypt, yesterday it was down to 41, and today:
So... yes.. It's down to 40 now. Top capsules in Lupa:
techrights.org served 21,602 Gemini requests yesterday. It used its own self-signed certificate. Because in Gemini the client software does not scream and shout if one doesn't outsource. Gemini Protocol isn't made by a bunch of clowns.
Outsourcing trust is simply not security, and barely even authenticity. As Daniel Pocock put it yesterday: "After securing Peter's domain, I immediately wanted to run certbot from Peter's Let's Encrypt project and obtain a certificate. Should it really be this easy to obtain a certificate for a domain previously owned by somebody else? Make of that what you will." █