| ▲ | mook 14 hours ago |
| Yeah, I hate how it made housing things locally without a proper domain name very difficult. My router _shouldn't_ have a globally recognized certificate, because it's not on a publicly visible host. There's certainly advantages to easily available certificates, but that has enabled browsers and others to push too far; to be sure, though, that's not really a fault of Let's Encrypt, just the people who assume it's somehow globally applicable. |
|
| ▲ | crapple8430 11 hours ago | parent [-] |
| A related issue is that most consumer devices (both iPhone and current Android) make it impossible or extremely difficult to trust your own root CA for signing such certs. |
| |
| ▲ | ingenium 6 hours ago | parent | next [-] | | Android is pretty easy, you just add it to the keystore and that's it. I've had my own CA long before Let's Encrypt, but now mostly only use it for non-public devices that can't easily use Let's Encrypt (printers, switches, etc). | | |
| ▲ | crapple8430 6 hours ago | parent [-] | | You can add it to your user CA store, but no app will trust it since it's treated differently from the system CA store, which you can't modify without root or building your own ROM. In effect it is out of reach for most normal users, as well as people using security focused ROMs like Graphene, when ironically it can improve security in transit in many cases. | | |
| |
| ▲ | iso1631 40 minutes ago | parent | prev [-] | | I don't want to trust my own root CA as I don't trust myself to keep it secure. I want to important it only for a specific set of domains. "Allow this rootca to authenticate mydomain.com, addmanager.com, debuggingsite.com", which means even if compromised it won't be intercepting mybank.com |
|
