While free SSL, assuming it's trustworthy, is a good thing so we can completely secure the web, there's also a dark side to this that I don't think anyone was anticipating. I fear the hackers, phishers, spammers and other vermin will find something bad to do with these free certs that will blow our minds. Previously SSL had to be verified so anyone needing an SSL connection on the down low had to hack an SSL site, assuming they could find a way in, and then use a folder on that site to do their dirty deeds, like a secure man-in-the-middle attack, phishing schemes, etc. Now they can just set up SSL shop on any abandoned domain they've infiltrated and have a field day.
Imagine what would happen if some nefarious person infiltrated a domain park and had full access to literally tens of thousands, if not millions, of domains and could make them all secure as well?
I don't even want to think about it.
How hard is it for any jerk to set up SSL on any domain you might ask?
To kick off the process, the agent asks the Letís Encrypt CA what it needs to do in order to prove that it controls example.com. The Letís Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:
Provisioning a DNS record under example.com, or
Provisioning an HTTP resource under a well-known URI on https://example.com/
Requiring the DNS record is good, that would stop most hackers unless they had access to your registrar account as well this is usually not the case. However, the HTTP resource can be easily created once you have access to the server so VOILA! let the good times roll.
Hopefully I'm wrong and this won't make life easier for the bad guys but my gut tells me they've already figured out new scams using this free SSL service and it's going to be a wild trip now that the only thing stopping them from looking legit, a paid for validated SSL cert, is no longer trustworthy.