Let’s Encrypt came too late

When I first heard about Let’s Encrypt I was pretty skeptical simply because I didn’t think someone could offer for free what Comodo and many others were offering for at least $50 a year without any backfires.

And if the unfair competition perfectly patented before by companies like Microsoft would have been the least of their problems, as things look nowadays it’s highly probable that Let’s Encrypt will become useless in the near future and this is simply because SSL has proven to be the most insecure security solution.

Just think about the impact of Heartbleed and POODLE which put millions of customer’s at risk by potentially exposing access to their personal data.

Besides that, it’s been a well known fact for years that having a SSL certificate is only good for encrypting the data communication between the client browser and the webserver as that’s it’s main role and not to actually protect the data in any way on the webserver. The SSL certificate may be good to prevent against eavesdropping when folks like the NSA are on the line, but it would offer no type of protection for the data stored on the server although customers and website owners may be inclined to think it does.

Given the circumstances I’d say that the SSL protocol will become less reliable and by becoming less reliable people will look for alternatives. It will not disappear in the near future, but with Google going for HSTS by default is clear proof that SSL is fading. And it’s a pity because most probably if Let’s Encrypt would have been introduced 10 years ago, a widespread adoption of SSL would have permitted freelance researchers to secure it better.