[sf-lug] SF-LUG & SSL/TLS: now proper certs on SF-LUG sites thanks to https://letsencrypt.org/ :-)

[Rick Moen]

Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> Yes, the CA model is broken, but it has the full trust of all
> e-commerce, and that's just the tip of the iceberg. 

Rumour has it that that plus $2.25 will get you a ride on Muni.

> This page is a good read, especially all the comments:
> https://blog.archive.org/2015/11/24/difficult-times-at-our-credit-union/

Yes, I followed the story of Internet Archive FCU as it happened.

Meanwhile, my preferred solution to the unreliability of CAs is:  Just
don't rely on them.  E.g., if attestation for the cert of my credit
union suddenly changes and it's now signed by Disig in Slovakia, 
CertWatch (http://certwatch.simos.info) will tell me in language easily
understandable as meaning 'Hullo, man-in-the-middle attack!'

I keep ssh and SSL key hashes with me for the sites I care about.