How do I generate the Let's Encrypt certificate and key on my own device? [More info inside]


#21

Hi @_1uke,

ZeroSSL may have its own privacy policy but if Let’s Encrypt makes addresses from its logs public, the address that would show up in this case would be ZeroSSL’s, not yours.

The biggest thing to know is that there is no automated renewal in this case and so you’ll have to repeat the process every 90 days.


#22

@_1uke, if you check ZeroSSL TOS (the link is on the first screen of the SSL Certificate Wizard and you can’t proceed until you actually confirm your acceptance of it), you can see that it includes Privacy Notice section, which is rather detailed. To put it simply - there is no personally identifiable information collected or any sort of information that would associate your IP with your certificates or domains. As explained on the site, it is an in-browser application and the server is not aware of what you are doing - even errors Let’s Encrypt API returns are only seen by yourself in your browser. Your IP would be in the normal web-server logs, like with any web site out there, but again - there is no personally identifiable information collected at all. I hope that clarifies it. If you have any further questions, you can use the contact form on ZeroSSL to get in touch.


#23

If that’s the case, the Let’s Encrypt API servers do see your IP address, and it would potentially be in Let’s Encrypt’s hypothetical future public logs, even if ZeroSSL does nothing to intentionally expose it themselves.


#24

That’s right—thank you both for the correction! (So possibly ZeroSSL ought to warn users about this.)


#25

Well, if Let’s Encrypt is ever to have a plan to publish that sort of logs, I’m sure there will be some sort of advance announcement and changes to SA. If that ever happens, that will certainly be reflected :slight_smile:

As for the overall concern of having IP known to some service - nowadays you can observe that a freshly installed and booted up server (or any device exposed to a public network) will get scanned in a first few seconds of uptime. Basically the only way to NOT have your device discovered is not to have it connected to a public network (even better - not to have it connected to any network at all). If that is not an option, you can always try to play with ephemeral IPv6.


#26

@leader, I think the privacy concerns are somewhat distinct from the hacking and scanning concerns, much as a wardialer or telemarketer can call every telephone number in an exchange (and indeed, there are still illicit telemarketers who sometimes do!), but people can still have unlisted telephone numbers, and back in the IP address context especially not want others to be able to infer things like when they personally are home or away, or who is visiting or staying at their home.

But I would definitely agree that people are wrong to think that they can easily hide the existence of Internet servers or services just by not mentioning the addresses to anybody. :slight_smile:


#27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.