> But the obvious answer for truly secure connections is your own CA root or a self-signed cert you manually install/enforce.
> Most decently-written software that supports SSL/TLS allows you do that.
Unfortunately maintaining your own CA and installing it on all your devices is no easy feat. On android it's not even possible without root, and most IoT devices are not "decently-written". So what you say is true on paper, but delegating your CA to an external service like letsencrypt is unfortunately the only doable way as things are now.
> Most decently-written software that supports SSL/TLS allows you do that.
Unfortunately maintaining your own CA and installing it on all your devices is no easy feat. On android it's not even possible without root, and most IoT devices are not "decently-written". So what you say is true on paper, but delegating your CA to an external service like letsencrypt is unfortunately the only doable way as things are now.