There is no known security vulnerability in Let's Encrypt that can be exploited. What is usually meant by hacker threat in this context is connected with the type of certificate validation. Let's Encrypt and many other paid SSLs are domain-validated only (DV). This means that in order to issue the certificate, the CA (certificate authority) only checks if the certificate requester owns the domain. If a hacker manages to acquire access (usually through phishing) to your domain account at your domain registrar, they can create subdomains of your domain and issue security certificates for the subdomains as if they were the owner. This is called domain shadowing and can result in misleading people that they are visiting your website while in fact it is a subdomain not related to your site at all.
A more secure type of validation is the extended validation (EV). With EV, the identity of the certificate requester is also checked by the CA in addition to the domain ownership, evеn when issuing a certificate for a subdomain. At QServers we offer EV certificates as well.
- 4 Users Found This Useful
Related Articles
What is Let's Encrypt?
Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's...
Can I get Let's Encrypt certificates at QServers?
Yes, you can. Let's Encrypt certificates can be installed for free through the cPanel of your...
What is displayed by browsers for HTTPS websites using Let's Encrypt SSL?
Let's Encrypt is a trusted authority so there will be no warning messages as long as your site is...
Is Let's Encrypt only for non-www domain names?
The Let's Encrypt certificate will be issued for the domain.com and www.domain.com (if both...
I installed Let's Encrypt but my site doesn't open via https
Probably you haven't redirected your site to open through https and it defaults to http.If you...
