Let’s Encrypt are right: HTTPS does not mean a site can be trusted

Preface: Let’s Encrypt is a project that aims to make SSL certificates free and easily available for anyone and everyone. Their aim is to create a more secure internet. Read all about them on their site here. Also for this article to make sense you’ll need to understand two of the types of certificates available. Domain Validation and Extended Validation. Domain Validation certificates merely make sure your connection to a website is encrypted. Extended Validation certificates are used by companies to prove to the user that you’re talking to a legitimate business as well as that your connection to the server is encrypted.

Let’s Encrypt were recently in the news as a certificate issued by them was used by a malvertising website. Despite being made aware of this, they refused to revoke the cert. Most (if not all) other Certificate Authorities would revoke any certificate that’s used maliciously in order to prevent users being misled into thinking that they’re using a legitimate website because it uses HTTPS.

Continue reading