(letsencrypt.org)

197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0.211s | source

Show context

ray_v ◴[16 Jan 25 21:11 UTC] No.42730957[source]▶

This feels like a disaster waiting to happen -- like what happens if (when?) Let's Encrypt suffers a significant outage and sites can't refresh certificates? Do we just tolerate a significant portion of the Internet being down or broken due to expired certificates? And for what tradeoff? A very small amount of extra security? Is this because certificate revocation is a harder problem to solve / implement at Internet scale?

replies(3): >>42731183 #>>42731333 #>>42733764 #

mholt ◴[16 Jan 25 21:46 UTC] No.42731333[source]▶

>>42730957 #

Fortunately, most ACME clients, including my own, support other CAs as fallbacks. (Caddy's ACME stack falls back to ZeroSSL by default, automatically.)

That, and extended week-long outages are extremely unlikely.

replies(3): >>42731371 #>>42732112 #>>42736631 #

1. cyberax ◴[16 Jan 25 23:11 UTC] No.42732112[source]▶

>>42731333 #

Plenty of clients don't have that option. E.g.: Synology NAS, Mikrotik routers.

↑

Six day and IP address certificate options in 2025