I applaud the Let's Encrypt founders, past and current team for solving the automation problem that's plagued the SSL/TLS industry.
The yang to that ying is a lack trust. I have zero trust in a site owner using LE certs. Domain vetting only means control of the domain ... everything inside that beautifully encrypted traffic can be insightful, helpful or script kiddies scamming the vulnerable. If one finds the scam, LE shrugs, "not our problem bruh. We just issue certs to those who control the domain."
They single handedly reduced the price of entry for douchebag asshats ability to pretend someone they are not and harm a non-technical populace.
I think history proved fairly convincingly that people would still get scammed with the old system. Given that, I'll take encrypted traffic almost universally across the internet and scams still being a thing over mostly unencrypted traffic any day.
I wish this statement to be true "... scams still being a thing over mostly unencrypted traffic any day." Sadly this falls in a similar category of domain validation.
TLS or SSL never meant that kind of safety in the first place. Even before LE, there was no guarantee that HTTPS means it's not a scam, and the PKI system has never been meant to guarantee that anyway! Let's Encrypt didn't change anything here, and they're doing exactly what they or any other CA is supposed to do.
The yang to that ying is a lack trust. I have zero trust in a site owner using LE certs. Domain vetting only means control of the domain ... everything inside that beautifully encrypted traffic can be insightful, helpful or script kiddies scamming the vulnerable. If one finds the scam, LE shrugs, "not our problem bruh. We just issue certs to those who control the domain."
They single handedly reduced the price of entry for douchebag asshats ability to pretend someone they are not and harm a non-technical populace.
Two steps forward, one step backward.