Is there any security risk when a certificate authority is used more than all others?



  • According to NetTrack, Let's Encrypt is now used on more than 50% of domains (51.21% as of April 2018).

    I know Let's Encrypt helped a lot of people to get free certificates for their websites, so I think its existence was a very good thing for the web.

    But does the fact that a certificate authority is used by the majority of users cause security risks?


    Note: this question is CA-agnostic, even if Let's Encrypt is the main CA today.



  • TL;DR: It does not matter much.

    The only security "risk" here really is the CA being "Too big to fail", where the browsers cannot distrust the CA quickly. But this is happening to all big CAs, not just the biggest one.

    Other than that, the only problem may be the CA being a more tempting target, though all CAs are already very tempting. Having all the eggs in one basket has its advantages and its disadvantages in this situation. Advantage is, that you need to protect just one basket, disadvantage is that if that basket breaks, the impact is somewhat bigger (assuming technologies like CAA and HPKP are used, otherwise it does not matter how big the CA is).




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2