Why Letsencrypt may still be a non-ideal


  • Netgate



  • An email address is a nonprivate piece of information, and presumably if you give it to a certificate authority, it's also publicacly available in DNS records.

    I'm not sure what you're implying here.

    This is a SNAFU for sure, but no bigger deal than any other accidental such email leakage from any other company.

    Anyone who visits a web host who uses a Let's Encrypt certificate already knows they are a client, so that's not a secret either.  I don't see that there are that many secrets exposed by this leak.



  • SSN is a public identifier. You know when something isn't private when it's communicated over insecure channels like phones or used as your forced username for your bank along with your email address. A single piece of information isn't that important, but once you start to get leaked information from many sources, the collection as a whole can give you great access into someone's life.



  • @Harvy66:

    A single piece of information isn't that important, but once you start to get leaked information from many sources, the collection as a whole can give you great access into someone's life.

    The second part of that sentence is the key in this new "big data" world where everything, even seemingly useless single pieces of info., is vacuumed up and correlated to construct profiles that can be sold for ID theft.

    For instances, though I've never verified it, I've heard it said that with a birth date and last four SSN digits the full SSN can be constructed.  Perhaps some other info. may be needed too but you should get the idea.  If true then people have been duped and compromised by giving out those two pieces of info. even if not both to the same party.  Because if they get matched up in the "big data" world vacuum, the sky could be the limit.

    An email address may not seem all that sensitive.  But it could be a part of correlating other pieces of personal info. from disparate sources.

    Every little tidbit of information is valuable to someone somewhere for some reason.  Whether we think it is or not.

    Hence my online handle.  NOYB.  I don't think for one second that it makes me anonymous.  It's mostly a statement on the practice of gathering completely unnecessary personal information to conduct some sort of transaction.  Only what is necessary for conducting the transaction should be requested and provided.  Anything beyond that should be challenged and refused.


  • LAYER 8 Netgate

    I don't see how the release of a bunch of email addresses has anything to do with the fact that it was letsencrypt that did it. It's less damaging than, say, adultfriendfinder. Was a rookie mistake though.

    I do hope they are more careful with their signing keys.


  • Netgate

    @Derelict:

    I don't see how the release of a bunch of email addresses has anything to do with the fact that it was letsencrypt that did it. It's less damaging than, say, adultfriendfinder. Was a rookie mistake though.

    I do hope they are more careful with their signing keys.

    This is really all I was attempting to say.  They need to get a lot better at operations (including opsec) before they're to be fully trusted with what they're attempting.


Log in to reply