| ▲ | jjice 15 hours ago |
| Let's Encrypt was _huge_ in making it's absurd to not have TLS and now we (I, at least) take it for granted because it's just the baseline for any website I build. Incredible, free service that helped make the web a more secure place. What a wonderful service - thank you to the entire team. The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point... So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences. |
|
| ▲ | raxxorraxor an hour ago | parent | next [-] |
| I only hear justified praises of letsencrypt. Also thanks to the EFF and developers of certbot, which massively improved the toolchain around certificate deployment. Not the favorite activity for admins, but this made processes like certificate renewal/revokation much more convenient. I think the portion of users that check a certificate after the browser treated it as secure is well smaller than 1%, probably well below 0.1%. And I guess these TLS connoisseurs have a positive inclination to letsencrypt as well. |
|
| ▲ | btown 15 hours ago | parent | prev | next [-] |
| To be fair, for a CEO in 2022, EV certificates had only lost their special visualizations since September/October 2019 with Chrome 77 and Firefox 70 - and with all that would happen in the following months, one could be forgiven for not adapting to new browser best practices! https://www.troyhunt.com/extended-validation-certificates-ar... |
| |
| ▲ | charlesbarbier 14 hours ago | parent | next [-] | | It was a red herring the entire time. At Shopify we made experiment regarding conversion between regular certs and EV before they stop being displayed and there was no significant difference. The users don't notice the absence of the fancier green lock. | | |
| ▲ | bruce511 7 hours ago | parent [-] | | I think the rebuttal to the CEO today is really very simple. a) How many of the sites you visit everyday have DV and how many have EV certificates? b) Name any site at all, that you have visited, where your behavior or opinion has changed because of the certificate? In truth the green-bar thing disappeared on mobile long before desktop (and in some cases it was never present.) In truth if you polled all the company staff, or crumbs just the people round the boardroom table (probably including the person complaining) a rounding error from 0 could show you how to even determine if a cert was DV or EV. EV could have an inspector literally visit your place of business, and it would still have no value because EVs are invisible to site visitors. |
| |
| ▲ | yabones 15 hours ago | parent | prev | next [-] | | Call me old-school, but I really liked how EV certs looked in the browser. Same with the big green lock icon Firefox used to have. I know it's all theatrics at best and a scam at worst, but I really feel like it's a bit of a downgrade. | | |
| ▲ | gerdesj 9 hours ago | parent | next [-] | | "it's all theatrics at best" Only IT understand any of this SSL/TLS stuff and we screwed up the messaging. The message has always been somewhat muddled and that will never work efficiently. | |
| ▲ | wnevets 15 hours ago | parent | prev | next [-] | | > Call me old-school, but I really liked how EV certs looked in the browser. I agree, making EV Certs visually more important makes sense to people who know what it means and what it doesn't. Too bad they never made it an optional setting. | | |
| ▲ | RonanSoleste 14 hours ago | parent | next [-] | | When you request an EV. They call you by the phone number that you give to ask if you requested a certificate. That was the complete extend of the validation.
I could be a scammer with a specificity designed domain name and they would just accept it, no questions asked. | | |
| ▲ | Uvix 14 hours ago | parent | next [-] | | Depends on the registrar. Globalsign required the phone number to be one publicly listed for the company in some business registry (I forget exactly which one), so it had to be someone in our main corporate office who'd deal with them on the phone. | | |
| ▲ | bangaladore 14 hours ago | parent | next [-] | | For an online business in a dubious (but legal) domain, my co-owner spent a few hundred bucks registering a business in New Mexico with a registered agent to get an EV cert. So, a barrier to entry, but not much of one. | | |
| ▲ | invokestatic 10 hours ago | parent [-] | | I have an almost identical story except the state in question was Nevada. I’m curious what “dubious” domain it was, for me it was video game cheats. Maybe I’m actually the co-owner you’re talking about. :) | | |
| |
| ▲ | progmetaldev 10 hours ago | parent | prev [-] | | Dun and Bradstreet (?). I believe I'm remembering this correctly. I still deal with a few financial institutions that insist on using an EV SSL certificate on their websites. I may be wrong, but I believe that having an EV SSL gives a larger insurance dollar amount should the security be compromised from the EV certificate (although I imagine it would be nearly impossible to prove). When I last reissued an EV SSL (recently), I had to create a CNAME record to prove domain ownership, as well as provide the financial institution's CEO's information which they matched up with Dun & Bradstreet and called to confirm. The entire process took about three days to complete. | | |
| ▲ | pests 9 hours ago | parent [-] | | Still required for Apple Dev account last time I had to go through the process a few years ago |
|
| |
| ▲ | wnevets 14 hours ago | parent | prev | next [-] | | > In addition to all of the authentication steps CAs take for DV and OV certificates, EV certificates require vetting of the business organization’s operational existence, physical address and a telephone call to verify the employment status of the requestor. [1] [1] https://www.digicert.com/difference-between-dv-ov-and-ev-ssl... Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. Of course its not 100% fool proof and depends on the quality of the CA but still very useful. | | |
| ▲ | matrss 14 hours ago | parent | next [-] | | > Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. It might be useful in some cases, but it is never any more secure than domain validation. Which is why browsers don't treat it in a special way anymore, but if you want you can still get EV certificates. | |
| ▲ | monerozcash 13 hours ago | parent | prev [-] | | It was easy to provide the information for an existing business you're completely unrelated to. Reliably verifying that a person actually represents a company isn't possible in most of the world. | | |
| ▲ | fpoling 13 hours ago | parent [-] | | Many countries has official register of companies with at least post box address. Requiring to answer a physical letter sent to an address from the central register will be much more reliable. | | |
| ▲ | monerozcash 12 hours ago | parent [-] | | Sure, and then someone just registers a company with the exact same name in another jurisdiction and EV is thwarted anyway |
|
|
| |
| ▲ | AlbinoDrought 12 hours ago | parent | prev | next [-] | | I'd love a referral to your certificate authority and rep - we go through a big kerfluffle each renewal period, only eventually receiving the certificate after a long exchange of government docs and CPA letters. For us, only the last step is the phonecall like you say. | | |
| ▲ | wnevets 12 hours ago | parent [-] | | The replies to my original comment make it obvious who has gotten an EV cert from a quality CA before and who hasn't. | | |
| ▲ | BHSPitMonkey 11 hours ago | parent [-] | | This exchange seemingly proves the argument that user trust gained from the EV treatment is misplaced, and that the endeavor was a farce all along. It's not as though the user's browser was distinguishing the good CAs from the bad! | | |
| ▲ | wnevets 10 hours ago | parent [-] | | I disagree. I specifically said in my original comment they were very useful for those that knew what EV certs were and EV certs weren't. You may not know that Digicert is a quality CA who wasn't going to risk their position as a CA to sign an EV cert for a typo squatting phishing site pretending to be PayPal but there are those who do. The green UI in chrome & firefox made finding all of this information out incredibly simple and obvious. |
|
|
| |
| ▲ | brians 13 hours ago | parent | prev | next [-] | | Having run an EV issuing practice… they were required to contact you at a D&B listed number or address. | |
| ▲ | realityking 14 hours ago | parent | prev [-] | | EV certs also showed the legal name of the company that requested the certificate - that was an advantage. | | |
| ▲ | duskwuff 13 hours ago | parent | next [-] | | Which would have made sense if company names were unique - which they aren't. See e.g. https://groups.google.com/g/mozilla.dev.security.policy/c/Nj... for an example of how this was abused. | | |
| ▲ | wbl 11 hours ago | parent [-] | | It was used correctly. What CAs wanted to sell wasn't something browsers wanted to support, and EV was the compromise. It just happens that what EV meant wasn't that useful irl. | | |
| ▲ | crote 11 hours ago | parent [-] | | What's the alternative, showing the company's unique registration ID? CAs invented EVs because the wanted to sell something which could make them more money than DVs. The fact that company names aren't unique means that the whole concept was fundamentally flawed from the start: there is no identifier which is both human-readable and guaranteed to uniquely identify an entity. They wanted to sell something which can't exist. The closest thing we have got is... domain names. | | |
| ▲ | duskwuff 8 hours ago | parent [-] | | The alternative would have been to have the CA use human judgement when approving EV certificates and reject applications from organizations whose names shadowed better-known firms, or to only accept applications from a select set of organizations (like, say, banks). But either of those possibilities would have increased the cost of the program and limited the pool of applicants, so CAs chose the cheap, easy path which led to EV certificates becoming meaningless. |
|
|
| |
| ▲ | crote 11 hours ago | parent | prev [-] | | The problem is that people wrongly believe that company names are unique. In reality you're just some paperwork and a token registration fee away from a name clash. If anything, it's a disadvantage. People are going to be less cautious about things like the website's domain name if they see a familiar-sounding company name in that green bar. "stripe-payment.com" instead of "stripe.com"? Well, the EV says "Stripe, Inc.", so surely you're on the right website and it is totally safe to enter your credentials... | | |
| ▲ | dismantlethesun 9 hours ago | parent [-] | | In many countries, company names are unique to that country. And combined with country TLDs controlled by the nation-state itself, it'd be possible for at least barclays.co.uk to be provably owned by the UK bank itself when a EV cert is presented by the domain. In the US though, every state has it's own registry, and names overlap without the power of trademark protection applying to markets your company is not in. |
|
|
| |
| ▲ | arccy 14 hours ago | parent | prev [-] | | i think the point was that EV didn't actually mean anything because the checks were too loose. it's a feel good false sense of security |
| |
| ▲ | woleium 12 hours ago | parent | prev [-] | | it’s okay, the scam continues with BIMI |
| |
| ▲ | smurda 12 hours ago | parent | prev | next [-] | | I loved the visualization of EV certs in browsers, but in 2014 vendors like GoDaddy charged $100/yr for them. https://web.archive.org/web/20131023033903/http://www.godadd... I'm glad LE, browsers, and others like Cloudflare brought this cost to $0. Eliminating this unnecessary cost is good for the internet. | |
| ▲ | unethical_ban 15 hours ago | parent | prev [-] | | EV validated not only that a domain was under control of the server requesting the cert, but that the domain was under control of the entity claiming it. I kind of wish they still had it, and I kind of wish browsers indicated that a cert was signed by a global CA (real cert store trusted by the browsers) or an aftermarket CA, so people can see that their stuff is being decrypted by their company. | | |
| ▲ | tadfisher 14 hours ago | parent | next [-] | | Problem is, I can easily set up a company and get an EV cert for "FooBar Technologies, LLC" and phish customers looking for "FooBar Incorporated" or "International FooBar Corp.". Approximately zero users know the actual entity name of the real FooBar. | | |
| ▲ | matrss 14 hours ago | parent | next [-] | | Even if the users knew exactly what the name of the entity whose website they wanted to visit was: that name is not unique, as is shown by the "Stripe, Inc" example in the parents linked blog post. | |
| ▲ | btown 8 hours ago | parent | prev [-] | | BIMI, as misguided as it is, does aim to solve this by tying registration to insanely high prices and government-registered trademark verification. You would have a hard time registering the Stripe trademark nowadays in a way that would get you a BIMI certificate for that name/logo. https://www.thesslstore.com/resources/bimi-certificate-cost-... But I'm glad that it hasn't caught on as strongly-expected by the public (or even commonly used). Big brands shouldn't be able to buy their way into inbox placement in ways that smaller companies can't replicate. |
| |
| ▲ | arccy 14 hours ago | parent | prev [-] | | you can find quite of few examples online that the entity check wasn't all that strict... |
|
|
|
| ▲ | dustedcodes 3 hours ago | parent | prev | next [-] |
| > The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". Spoken like a true dinosaur. How can a certificate based on open, public and proven secure protocols be cheap? > So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? No, but I personally judge businesses which claim to be tech savvy if they don’t have an ACME issued certificate, because to me that instantly shows I’m not dealing with someone who has kept up with technology for the last 10 years. |
|
| ▲ | qwertox 15 hours ago | parent | prev | next [-] |
| I once notified Porsche that one of their websites had an expired certificate, they fixed it within a couple of hours by using Let's Encrypt. It surprised me. Let's Encrypt is to the internet what SSDs are to the PC. A level up. |
| |
|
| ▲ | merpkz 6 hours ago | parent | prev | next [-] |
| I have also heard a negative about it being somehow "cheap" and we can "afford" a proper wildcard for our website from managers back in the day, like, few years ago. Never mind the hours wasted every year changing that certificate in every system out there and always forgetting a few. Also a valid point from security people is that you leak your internal hostnames to certificate transparency lists once you get a cert for your "internal-service.example.com" and every bot in existence will know about it and try to poke it. I solved these problems by just not working with people like that anymore and also getting a wildcard Let's Encrypt it certificate for every little service hosted - *.example.com and not thinking about something being on the list anymore. |
|
| ▲ | quesera 15 hours ago | parent | prev | next [-] |
| There was a time when EV certificates were considered more trustworthy than DV certs. Browsers used to show an indication for EV certs. Those days are long gone, and I'm not completely sure how I feel about it. I hated the EV renewal/rotation process, so definitely a win on the day-to-day scale, but I still feel like something was lost in the transition. |
| |
| ▲ | hk1337 9 hours ago | parent | next [-] | | This was the only objection I had gotten about using letsencrypt 6 years ago but that guy is gone and now we either have letsencrypt or AWS certificates | |
| ▲ | trueismywork 15 hours ago | parent | prev [-] | | What about OV? | | |
| ▲ | ekr____ 15 hours ago | parent | next [-] | | It's never been clear to me what the rationale for OV was, as the UI wasn't even different like EV was. | |
| ▲ | quesera 15 hours ago | parent | prev [-] | | I've never seen (noticed) an OV cert in real life, and no business I've ever been responsible for pushed for OV over DV. It was always EV or "huh?" | | |
| ▲ | bostik 15 hours ago | parent | next [-] | | I think I've seen one or two, and only because I noticed them as a weird callout in a $LARGE_FINANCE_INSTITUTION infosec bingo sheet. Of course I had to check that they really were running with OV certs. Some of the outfits in that space will be heavily hit by the shortening certificate max-lifetimes, and I do hope that the insurance companies at some point also stop demanding a cert rotation before 90 days to expiry. It's a weird feeling to redline a corporate insurance policy when their standard requirements are 15 years out of date. | | |
| ▲ | quesera 14 hours ago | parent | next [-] | | > when their standard requirements are 15 years out of date I swear half of my "compensating control" responses are just extended versions of "policy requirement is outdated or was always bad". | |
| ▲ | crote 11 hours ago | parent | prev [-] | | > I do hope that the insurance companies at some point also stop demanding a cert rotation before 90 days to expiry It's not like you have a lot of choices when certificates are only valid for 47 days in 2029! |
| |
| ▲ | Sesse__ 15 hours ago | parent | prev [-] | | Before LE, we did lots of OV (which you generally could get a couple of for free from somewhere). We had to dig up stuff like a heating bill, because evidently that is proof of organizational control to some people. |
|
|
|
|
| ▲ | jwr 3 hours ago | parent | prev | next [-] |
| Modern browsers are going out of their way to hide every bit of information about the website (including even the URL) — so I don't know how these customers would actually even find out what CA issued the certificate. In Safari, I don't even know how to find that information anymore. When I want to check expiration dates for my own sites, I start Firefox. |
| |
| ▲ | bob778 an hour ago | parent [-] | | It’s the symbol to the left of the URL > Show Certificate. They even make it available on iOS Safari (Page Info > Connection Security Details), but if it’s expired, you’ll know by the big red warning page. |
|
|
| ▲ | johnebgd 15 hours ago | parent | prev | next [-] |
| There are extended certificates that did matter in our sales process for some hosted solutions back about 15 years ago if I recall right… no one has ever cared since… |
|
| ▲ | rokkamokka 15 hours ago | parent | prev | next [-] |
| No! Let's encrypt is easily the best thing that's happened for a secure internet the last 10 years. |
|
| ▲ | hk1337 9 hours ago | parent | prev | next [-] |
| The only pain point I had using letsencrypt, and it wasn 100% not their fault, was I tried using it to generate the certificate to use with FTPS authentication with a vendor. Since LE expires every 90 days and the vendor emails you every week when you’re 2 months from expiring, that became a pain point and it wasn’t easier to just by a 1 or 2 year cert from godaddy. Thank goodness that vendor moved to sftp with key authentication so none of that is needed anymore |
|
| ▲ | winternett 11 hours ago | parent | prev | next [-] |
| Many host providers (Those acquired by companies like Web.Com, allegedly) disable all ability to use outside certs since Google made encryption a requirement in Chrome Browser... They do things like blocking containers & SSH to make installing free certs impossible. They also have elevated the price of their own certs (that they can conveniently provide) to ridiculous prices in contrast to free certs their customers can't even use... It would be a huge price-fixing scandal if Congress had any idea of how technology works. |
| |
| ▲ | Sohcahtoa82 11 hours ago | parent | next [-] | | There are literally thousands of web hosts out there. If your web host is doing something shitty like that, it's trivial to find a new one. | | |
| ▲ | winternett 6 hours ago | parent [-] | | I'd be happy to hear about a traditional hosting company that allows clients to install lets Encrypt certs if you can name any... Most of my clients don't have budgets big enough for cloud hosting. | | |
| ▲ | Sohcahtoa82 3 hours ago | parent [-] | | DreamHost allows it. Not only do they just allow you to import any certificate you want, but they literally have a button on the panel to get one from Let's Encrypt for free. |
|
| |
| ▲ | selcuka 8 hours ago | parent | prev [-] | | > It would be a huge price-fixing scandal if Congress had any idea of how technology works. It's shady, but technically not price-fixing unless they are a monopoly. You are free to take your business to somewhere else. | | |
| ▲ | winternett 6 hours ago | parent [-] | | If you read into Web.Com, yes, they are quickly becoming a monopoly on host companies. They do not disclose many of the hosting companies they now own. If you can find a company that allows clients to install Let's Encrypt Certs on shared hosting, please let me know. | | |
| ▲ | selcuka 6 hours ago | parent [-] | | Yeah, fair point. I have not used shared hosting for a long time now (static sites are easy/free to host, and dynamic ones don't play well with shared hosting), so I didn't know the Web.com story. I used DreamHost in the past and they had a configuration option in their control panel to automatically install and maintain a Let's Encrypt certificate on your behalf [1]. If you are stuck with Web.com you may consider using a reverse proxy/CDN such as CloudFlare. [1] https://help.dreamhost.com/hc/en-us/articles/216539548-Addin... |
|
|
|
|
| ▲ | Analemma_ 15 hours ago | parent | prev | next [-] |
| I've seen people complain that Let's Encrypt is so easy that it's enabling the forced phaseout of long-lived certificates and unencrypted HTTP. I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work. |
| |
| ▲ | mook 14 hours ago | parent | next [-] | | Yeah, I hate how it made housing things locally without a proper domain name very difficult. My router _shouldn't_ have a globally recognized certificate, because it's not on a publicly visible host. There's certainly advantages to easily available certificates, but that has enabled browsers and others to push too far; to be sure, though, that's not really a fault of Let's Encrypt, just the people who assume it's somehow globally applicable. | | |
| ▲ | crapple8430 11 hours ago | parent [-] | | A related issue is that most consumer devices (both iPhone and current Android) make it impossible or extremely difficult to trust your own root CA for signing such certs. | | |
| ▲ | ingenium 7 hours ago | parent | next [-] | | Android is pretty easy, you just add it to the keystore and that's it. I've had my own CA long before Let's Encrypt, but now mostly only use it for non-public devices that can't easily use Let's Encrypt (printers, switches, etc). | | |
| ▲ | crapple8430 6 hours ago | parent [-] | | You can add it to your user CA store, but no app will trust it since it's treated differently from the system CA store, which you can't modify without root or building your own ROM. In effect it is out of reach for most normal users, as well as people using security focused ROMs like Graphene, when ironically it can improve security in transit in many cases. | | |
| |
| ▲ | iso1631 an hour ago | parent | prev [-] | | I don't want to trust my own root CA as I don't trust myself to keep it secure. I want to important it only for a specific set of domains. "Allow this rootca to authenticate mydomain.com, addmanager.com, debuggingsite.com", which means even if compromised it won't be intercepting mybank.com |
|
| |
| ▲ | rplnt 12 hours ago | parent | prev | next [-] | | Random anecdote: I have a device in which the http client can't handle https. Runs out of memory and crashes. Wasn't able to find a free host with a public http to host a proxy. | | | |
| ▲ | mschuster91 15 hours ago | parent | prev | next [-] | | > Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work. The problem is that this requires work and validation, which no beancounter ever plans for. And the underlings have to do the work, but don't get extra time, so it has to be crammed in, condensing the workday even more. For hobbyist projects it's even worse. That is why people are so pissed, there is absolutely zero control over what the large browser manufacturers decide on a whim. It's one thing if banks or Facebook or other truly large entities get to do work... but personal blogs and the likes? | | |
| ▲ | crote 11 hours ago | parent | next [-] | | We've reached a point where securing your hobby projects essentially means setting the "use_letsencrypt = true" config option in your web server. I bet configuring it takes less time than you spent reading this HN thread. And with regards to the beancounters: that is exactly why the browsers are pushing for it. Most companies aren't willing time and effort into proper certificate handling procedures. The only way to get them to secure their shit is by forcing them: do it properly, or your website will go offline. And as it turns out, security magically gets a lot more attention when ignoring it has a clear and direct real-world impact. | |
| ▲ | bigstrat2003 10 hours ago | parent | prev | next [-] | | > That is why people are so pissed, there is absolutely zero control over what the large browser manufacturers decide on a whim. It's one thing if banks or Facebook or other truly large entities get to do work... but personal blogs and the likes? Yep. There are plenty of things on the Internet for which TLS provides zero value. It is absolutely nonsensical to try to force them into using it, but the browser community is hell bent on making that bad decision. It is what it is. | |
| ▲ | nottorp 14 hours ago | parent | prev [-] | | > but personal blogs and the likes? Yep, the result of the current security hysteria/theater is it makes it increasingly difficult to maintain an independent web presence. Yes, I know, you can just use Cloudflare and depend on it... | | |
| ▲ | Ferret7446 14 hours ago | parent | next [-] | | TLS only takes a few minutes to add to a self hosted solution, just plop caddy in front of your server | |
| ▲ | eastbound 14 hours ago | parent | prev [-] | | Cloudflare uses HTTP to connect to your website before caching the content. I’ve always found it highly insecure. You could have HTTPS with Letsencrypt, but you need to deactivate Cloudflare when you want to renew (or use the other validation that is complex enough that I didn’t succeed to do it). | | |
| ▲ | nottorp 13 hours ago | parent | next [-] | | Don't pick on this particular SSL requirement, pick on the deluge of requirements that only make sense for a site that sells something or handles personal data (i.e. has accounts). They get extended to $RANDOM_SITE that only serves static text and the occasional cat photo for no good reason except "your cats will be more secure!". | | |
| ▲ | ptsd_isv 11 hours ago | parent [-] | | GP: At least on business plans this is incorrect, it defaults to (last time I checked) accepting any SSL certificate including self signed from edge to origin and it’s a low friction option to enforce either valid or provided CA/PubKey certs for the same path. Parent: those innocuous cat photos are fine in the current political climate… “First they came for the cat pic viewers, but I did not speak up…” | | |
| ▲ | nottorp 4 hours ago | parent [-] | | Wrong metaphor though? How does SSL on a -ing public site protect you from being arrested by miniluv? It’s public, you want everyone to see the cat photos, that’s why you set up the site. On the contrary, SSL certs mean another party through which miniluv can track you. They prove or are supposed to prove identity not hide it. |
|
| |
| ▲ | AnonC 9 hours ago | parent | prev [-] | | The statement that Cloudflare uses HTTP to connect to your website can be false depending on how you configure it. For years, I have had personal websites with Cloudflare as the CDN and with Let’s Encrypt providing certificates on the web server. All I do is choose Full (Strict) in the TLS settings on Cloudflare. So the connection between the end user to Cloudflare and from Cloudflare to my web server are on HTTPS. No deactivation of Cloudflare required on my end during renewal (my web host, like many others, has the certificate generation automated and getting a TLS certificate just a toggle on my admin dashboard). |
|
|
| |
| ▲ | foresto 14 hours ago | parent | prev [-] | | I can understand this in in certain contexts, such as a site that exists solely to post public information of no value to an attacker. A local volunteer group that posts their event schedule to the web were compelled to take on the burden of https just to keep their site from being labeled as a potential threat. They don't have an IT department. They aren't tech people. The change multiplied the hassles of maintaining their site. To them, it is all additional cost with no practical benefit over what they had before. | | |
| ▲ | cortesoft 12 hours ago | parent | next [-] | | The work and technical expertise to setup let's encrypt is less than the work to register a domain, set up a web server, and configure DNS to point to it. | | |
| ▲ | foresto 11 hours ago | parent [-] | | You seem to have missed what I wrote in the first place: They aren't tech people. It is additional work, and requires additional knowledge. It was also not available from most of the free web hosts that sites like these used before the https push. So investigating alternatives and migrating were required. In other words, still more work. |
| |
| ▲ | charcircuit 14 hours ago | parent | prev [-] | | This is why more and more organizations get away with only having social media pages where they don't have to worry about security or other technical issues. | | |
| ▲ | foresto 13 hours ago | parent [-] | | Unfortunately, placing the information on a social media page burdens the people seeking it with either submitting to the social media site's policies and practices, or else not having access to it. This is not a good substitute. It also contributes to the centralization of the web, placing more information under the control of large gatekeepers, and as a side effect, giving those gatekeepers even more influence. | | |
| ▲ | charcircuit 11 hours ago | parent [-] | | Most social media are free and easy to sign up for taking under a minute to do and have user bases that can be measured in the billions. Most people in the world are willing to follow the rules. Most people don't use social media via the web. They use it via dedicated apps. I think it's natural that people who don't want to deal with the tech side of things will outsource it to someone else. The idea that everyone will host their own tech is unrealistic. | | |
| ▲ | tialaramex 11 hours ago | parent [-] | | For now, in some jurisdictions, social media is "free" for your customers in the sense that it's supported by advertising. It's not free for you of course because advertising isn't free and from their point of view what you'd be getting is free advertising so they want you to pay them to put it in front of your customers. | | |
| ▲ | charcircuit 9 hours ago | parent [-] | | You don't have to advertise to have your company's posts gain traction on social media. |
|
|
|
|
|
|
|
| ▲ | xxmarkuski 15 hours ago | parent | prev | next [-] |
| I have heard, but do not aggree, that Let‘s Encrypt is risky, because phishing sites use it. It’s implied that other CAs do checks against it. |
| |
| ▲ | selcuka 8 hours ago | parent | next [-] | | An SSL provider once refused to sell me a certificate because the domain name had the word "Windows" in it. | |
| ▲ | anonymars 14 hours ago | parent | prev [-] | | I will say, I have never before this season seen so many seemingly-legit fake web stores. All with their little lock icons in the address bar. I assume LLMs helped kick it into overdrive too | | |
| ▲ | array_key_first 11 hours ago | parent [-] | | Conflating transport-layer encryption with authenticity is the problem. The former should always be standard, the latter is unrelated and IMO needs a different mechanism. | | |
| ▲ | kbolino 9 hours ago | parent [-] | | Absent widespread adoption of DNSSEC, which has just not happened at all, I don't see any alternative. The authentication must be done before the encryption parameters are negotiated, in order to protect against man-in-the-middle attacks. There must be some continuity between the two as well, since the authenticated party (both parties can be authenticated, but only one has to be) must digitally sign its parameters. Any competing authentication scheme would therefore have to operate at a lower layer with even more fundamental infrastructure, and the only thing we've really got that fits the bill is DNS. EDIT: A standard exists for this already, it's called DANE, though it has very little support: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na... | | |
| ▲ | anonymars 8 hours ago | parent [-] | | This applies to grandparent too (for the record I largely agree with them) but the issue isn't just "authenticity" but "identification" -- there's no real attestation about who is in on the other end of the site. This identity was once at least somewhat part of the certificate itself. | | |
| ▲ | kbolino 8 hours ago | parent [-] | | Yes, it is fair to say that domain names are not the sum total of identity. However, the EV certificate experience showed that, at least in terms of WebPKI and the open Internet, there really isn't anything better than domains yet. We have clear and seemingly easy go-to examples like proving that yes, this is THE Microsoft, and not a shady fly-by-night spoof in a non-extradition territory, but apart from the headline companies--who as of late seem to like changing their names anyway--this actually isn't easy at all. Walled gardens like app stores have different trade-offs, admittedly. |
|
|
|
|
|
|
| ▲ | rkagerer 6 hours ago | parent | prev | next [-] |
| Old browsers on old hardware without its CA baked in. |
|
| ▲ | accrual 8 hours ago | parent | prev | next [-] |
| Seconding the effect of Let's Encrypt on the world of TLS. I remember getting into web applications in the late 2000s and rolling my own certificates/CA and it was a huge, brittle pain. Now it's just another deployment checkbox thanks to LE. |
|
| ▲ | UltraSane 15 hours ago | parent | prev | next [-] |
| I have worked at companies that refused to use LetsEncrypt for the same reason. |
|
| ▲ | giancarlostoro 15 hours ago | parent | prev | next [-] |
| > It coming from GoDaddy is not a selling point... I just people who use GoDaddy. They were the one company supporting SOPA when the entire rest of the internet was opposed to SOPA. It's very obvious GoDaddy is run by "business-bros" and not hackers or tech bros. |
| |
| ▲ | dylan604 14 hours ago | parent [-] | | This is my feeling as well. Finding out someone uses GoDaddy is a bit of a shibboleth. |
|
|
| ▲ | traceroute66 15 hours ago | parent | prev [-] |
| > has anyone actually commented to you in a negative way about using Let's Encrypt? A friend of mine has had a negative experience insofar as they are working for a small company, using maybe only 15–20 certs and one day they started getting hounded by Let's Encrypt multiple times on the email address they used for ACME registration. Let's Encrcypt were chasing donations and were promptly told where to stick it with their unsolicited communications. Let's Encrypt also did zero research about who they were targetting, i.e. trying to get a small company to shell out $50k as a "donation". My friend was of the opinion is that if you're going to charge, then charge, but don't offer it for free and then go looking for payment via the backdoor. In a business environment getting a donation approved is almost always an entirely different process, involving completely different people in the company, than getting a product or service purchase approved. Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop. |
| |
| ▲ | cjaybo 15 hours ago | parent | next [-] | | “They sent a few emails soliciting donations” isn’t exactly a horror story in my experience. Seems hardly worth mentioning! | | |
| ▲ | dylan604 14 hours ago | parent | next [-] | | It's not something to stop using them over, but unsolicited solicitation emails are annoying at the least. It's definitely worth mentioning letting other people know they have warts too | |
| ▲ | traceroute66 13 hours ago | parent | prev [-] | | To be clear, I was merely answering the question posed "has anyone actually commented to you in a negative way about using Let's Encrypt?" Well, yes, someone actually commented to me in a negative way about using Let's Encrypt .... Don't shoot the messenger, as they say. |
| |
| ▲ | jfindper 15 hours ago | parent | prev | next [-] | | >one day they started getting hounded by Let's Encrypt multiple times >trying to get a small company to shell out $50k as a "donation". >Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop. Does your friend have anything to corroborate this claim? Perhaps the email with identifying details censored? I have a received an occasional email mentioning donations. They are extremely infrequent and never ask me for a specific amount. I would be incredibly surprised to see evidence of "hounding" and requests for $50,000. | | |
| ▲ | traceroute66 13 hours ago | parent [-] | | All the usual phishing checks were done if that's what you're thinking. In terms of the actual mail with identifying details removed, I'd have to go back and ask. I did look before posting here as I thought they had already forwarded it to me, but it was last year, so I have almost certainly cleaned up my Inbox since. I'm not an Inbox hoarder. |
| |
| ▲ | 15 hours ago | parent | prev [-] | | [deleted] |
|
