No, you read it right. I think that not having a "Not secure" warning has more of a real-world impact than MITM. Fortunately we don't have to choose one or the other. 99.9% of people will be happy that the site is "Secure" (even if their password is 11111) and the other .1% will be happy that the certificate doesn't use weak ciphers with a bad prime.

I am also worried about the security of this website. While there might not be anyone looking at this forum with malicious intent yet, there is still a standard of care that must be met with any amount of user data. Hopefully this issue will be addressed very soon as it is a serious concern when running a website looking to be the hub of discourse for an entire community.

Thank you OP for starting this discussion.

I'm not understanding the issue with Let's Encrypt. I utilize them for my business. Rather than paying $300/yr from GoDaddy's vampire tactics, I pay $0 for all the certificates I need from my hosting with SiteGround and they are issued by Let's Encrypt and certified by Avast. It's never been a problem for me or my clients.

It's not, but they're still a big part in the problem. The whole "look for the padlock" idea came about when an SSL was much harder to not only get, but also implement, and it really did mean you could "trust" the site. Now you get different levels of cert where the verification guarantee is no longer assured, the only assurance you get is the encryption. However the whole "look for the padlock" thing is still stuck in a lot of people's heads. That's a big part of the problem...the problem is then allowed to manifest as people like letsencrypt will give you a cert even if it is obviously for a phishing site. They literally gave over 10,000 certs to sites with paypal in their name in one year alone. Letsencrypt's biggest failing is that they're not doing enough to protect people from phishing and other fraudulent sites. Then you have the ever-changing way different browsers reflect the different levels of SSL, and what started out as a good idea has descended into a fraudster's paradise.

Like everything else on the internet.....

Right, because people mistake the purpose behind ssl encryption/certs to be some kind of guarantee of non-maliciousness. Which is patently false.
That's not the fault of Let's Encrypt. Hell, anyone can get those "official premium" certs, they just cost money (in some cases not even that). They are just as meaningless in that regard, maybe even worse because they appear somehow more trustworthy when they're really not. I can buy them in bulk under a false persona and nobody would stop me. Even takeovers are not unheard of because vendors are unbelievably lax when it comes to making sure you are who you say you are.

The importance lies in transport security and integrity, nothing more.

These false believes don't exist by accident though, CAs push this left and right because it's efficient marketing.

On the latter, fair enough. I think the OP suggested that source as an example rather than an endorsement.

On the former, it's just 0 so far. And overall his post here is more about tightening security and privacy globally with the website, which is a good idea.

I totally agree with everything you said, it's nonsense and we managed to survive pretty well for the last couple of decades without SSL being standard for the majority of non-transactional websites. I also agree that the green bar makes no difference to anything except the perception of websites and that is being foisted onto the general public. But it's apparently being pushed and Google Search and Chrome (most used browser now) will make a big deal about it.

People get used to it and then everyone has to use it or it doesn't look right, hence this thread exists I guess.

As I said, most hosting companies give it away free/part of the package. For a dedicated server with no provided management/support, a full fat Commodo one is what I would tend to use. I have never installed one myself, that's what my server guy is for, but in either case, I think it's probably best to have one because that is what people are coming to expect nowadays.

Number of people conducting man-in-the-middle attacks to steal your password for Exclusively Games: 0
Number of people conned by the tens of thousands of phishing sites given legitimacy by letsencrypt certs every year as they'll cert anything: ???

While those add a layer of trust through owner verification (but there isn't a single CA that hasn't fucked up multiple times in major ways when it comes to that), there's otherwise not much left in terms of upsides for premium certs.
From a purely cryptographic point of view, free and premium are fundamentally the same.
And since Let's Encrypt finally added wildcard certs, it's hard to point to any specific lack of functionality.
One reason I could think up to massively overpay like that, is when there's a very good reason to have extremely long lived certs, which is solved by setting up automatic renewal in a robust way.

Sorry for rambling, if someone want's to have a endlessly drawn out discussion about why I think BIG CA is an industry comprised of nothing but money grubbing conmen feel free to pm me lol.

But none of this matters all that much until someone hops unto the server and does the thing.

I design websites for people and build them for my own businesses and SSL certificates are pretty much required these days, so much so that many hosting providers give them to you as part of your package and you just have to activate them.

On a dedicated server it may be more a bit more work and maybe $99 a year for the "green bar" trusted SSL in the browser, but it's a heck of a lot easier to do now than it was five or six years ago.

Zero cost and about 5 minutes of work. Heck, Let's Encrypt provides (relatively) robust scripts that do the setting up for you. That is as long as you're not having special needs or an unusual setup.
Manual setup isn't sorcery either though, it's just that someone has to actually do it.

^^ this, coupled with the fact that people tend to use the same passwords on multiple websites.

I'm not terribly worried, but as baboon said, pretty much every website has it these days, even forums. I have no idea what it means for the website creator though in terms of cost or complexity.

I was going to bring this up too. Apart from the security,I believe that Google will penalize this website in search results, every site is expected to have SSL encryption these days

Maybe I'm just interpreting your post wrong, but the real value lies in keeping transport integrity and security. Not only hinders it people from intercepting your login information, a strict setup also stops random hops along the way from your client to the server from modifying the content (some ISPs tent to do that for example).

Even if you trust your own network and your ISP, should you ever decide to hop on a network you don't control, it's painfully trivial for anyone else on that network to harvest any plaintext communication. Which again includes your login data.

As for the "friendly padlock of mindless trust"... yeah I wish people would stop interpreting it in that way.