https://www.troyhunt.com/extended-validation-certificates-ar...
a) How many of the sites you visit everyday have DV and how many have EV certificates?
b) Name any site at all, that you have visited, where your behavior or opinion has changed because of the certificate?
In truth the green-bar thing disappeared on mobile long before desktop (and in some cases it was never present.)
In truth if you polled all the company staff, or crumbs just the people round the boardroom table (probably including the person complaining) a rounding error from 0 could show you how to even determine if a cert was DV or EV.
EV could have an inspector literally visit your place of business, and it would still have no value because EVs are invisible to site visitors.
Since nobody ever actually leaked an intermediate private key for a CA, people don't recognise the value.
If we had lost payment card information through MITM, we would have been liable for a lot more money.
That was the business justification for EV back when I was doing major ecommerce stuff.
Only IT understand any of this SSL/TLS stuff and we screwed up the messaging. The message has always been somewhat muddled and that will never work efficiently.
I agree, making EV Certs visually more important makes sense to people who know what it means and what it doesn't. Too bad they never made it an optional setting.
[1] https://www.digicert.com/difference-between-dv-ov-and-ev-ssl...
Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. Of course its not 100% fool proof and depends on the quality of the CA but still very useful.
I'm glad LE, browsers, and others like Cloudflare brought this cost to $0. Eliminating this unnecessary cost is good for the internet.
I kind of wish they still had it, and I kind of wish browsers indicated that a cert was signed by a global CA (real cert store trusted by the browsers) or an aftermarket CA, so people can see that their stuff is being decrypted by their company.
https://www.thesslstore.com/resources/bimi-certificate-cost-...
But I'm glad that it hasn't caught on as strongly-expected by the public (or even commonly used). Big brands shouldn't be able to buy their way into inbox placement in ways that smaller companies can't replicate.
It's how you end up with both Apple Corps (the Beatles' record label) and Apple Computer (the tech company). They've been involved in quite a few lawsuits over the years, mostly because the tech company decided to expand into the multimedia business.
Let's Encrypt is to the internet what SSDs are to the PC. A level up.
I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work.
There's certainly advantages to easily available certificates, but that has enabled browsers and others to push too far; to be sure, though, that's not really a fault of Let's Encrypt, just the people who assume it's somehow globally applicable.
If you're not encrypting local network traffic then any rogue device on that network can decide to intercept it and steal your admin password. That's one of the biggest reasons why we adopted HTTPS in the first place - whether a host is public or not isn't relevant.
It doesn't need a "globally" recognized certificate signed by a public CA, self-signed ones are fine. At home I manage mine with XCA. I have a root CA that's installed on all of my devices, with name constrains set to ".internal", ensuring it can't be used to sign certificates for any other domains.
I know things like MDM/Intune/Group Policy/etc and such can A) faciliate doing this on a large number of devices and B) prevent users from doing this on their own.
Does this not work anymore?
I want to important it only for a specific set of domains. "Allow this rootca to authenticate mydomain.com, addmanager.com, debuggingsite.com", which means even if compromised it won't be intercepting mybank.com
nameConstraints=critical,permitted;DNS:.iso1631.internal
- "DNS:.iso1631.internal" limits the scope to all subdomains of the given domain, e.g. "www.iso1631.internal"
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1....
The problem is that this requires work and validation, which no beancounter ever plans for. And the underlings have to do the work, but don't get extra time, so it has to be crammed in, condensing the workday even more. For hobbyist projects it's even worse.
That is why people are so pissed, there is absolutely zero control over what the large browser manufacturers decide on a whim. It's one thing if banks or Facebook or other truly large entities get to do work... but personal blogs and the likes?
And with regards to the beancounters: that is exactly why the browsers are pushing for it. Most companies aren't willing time and effort into proper certificate handling procedures. The only way to get them to secure their shit is by forcing them: do it properly, or your website will go offline. And as it turns out, security magically gets a lot more attention when ignoring it has a clear and direct real-world impact.
Yep, the result of the current security hysteria/theater is it makes it increasingly difficult to maintain an independent web presence.
Yes, I know, you can just use Cloudflare and depend on it...
Yep. There are plenty of things on the Internet for which TLS provides zero value. It is absolutely nonsensical to try to force them into using it, but the browser community is hell bent on making that bad decision. It is what it is.
A local volunteer group that posts their event schedule to the web were compelled to take on the burden of https just to keep their site from being labeled as a potential threat. They don't have an IT department. They aren't tech people. The change multiplied the hassles of maintaining their site. To them, it is all additional cost with no practical benefit over what they had before.
It also contributes to the centralization of the web, placing more information under the control of large gatekeepers, and as a side effect, giving those gatekeepers even more influence.
Most people don't use social media via the web. They use it via dedicated apps. I think it's natural that people who don't want to deal with the tech side of things will outsource it to someone else. The idea that everyone will host their own tech is unrealistic.
It is additional work, and requires additional knowledge.
It was also not available from most of the free web hosts that sites like these used before the https push. So investigating alternatives and migrating were required. In other words, still more work.
I think the portion of users that check a certificate after the browser treated it as secure is well smaller than 1%, probably well below 0.1%. And I guess these TLS connoisseurs have a positive inclination to letsencrypt as well.
Those days are long gone, and I'm not completely sure how I feel about it. I hated the EV renewal/rotation process, so definitely a win on the day-to-day scale, but I still feel like something was lost in the transition.
Some of the outfits in that space will be heavily hit by the shortening certificate max-lifetimes, and I do hope that the insurance companies at some point also stop demanding a cert rotation before 90 days to expiry. It's a weird feeling to redline a corporate insurance policy when their standard requirements are 15 years out of date.
I swear half of my "compensating control" responses are just extended versions of "policy requirement is outdated or was always bad".
It's not like you have a lot of choices when certificates are only valid for 47 days in 2029!
Spoken like a true dinosaur. How can a certificate based on open, public and proven secure protocols be cheap?
> So my question: has anyone actually commented to you in a negative way about using Let's Encrypt?
No, but I personally judge businesses which claim to be tech savvy if they don’t have an ACME issued certificate, because to me that instantly shows I’m not dealing with someone who has kept up with technology for the last 10 years.
Also a valid point from security people is that you leak your internal hostnames to certificate transparency lists once you get a cert for your "internal-service.example.com" and every bot in existence will know about it and try to poke it.
I solved these problems by just not working with people like that anymore and also getting a wildcard Let's Encrypt it certificate for every little service hosted - *.example.com and not thinking about something being on the list anymore.
In Safari, I don't even know how to find that information anymore. When I want to check expiration dates for my own sites, I start Firefox.
I have found "Connection Security Details…" in the "Safari" menu, though. But my point still stands: average users won't see any certificate information without serious effort.
Setting up an encrypted web-domain with continual Let's Encrypt certificate renewal has become tedious cargo-culting around the relicts of the idea of a certificate that establishes trust by identity verification.
The collapse of identity-based certification is not Let’s Encrypt’s fault. People naturally choose the easiest option, and Let’s Encrypt supplied it.
Entrusting a handful of commercial certificate authorities with global identity is dubious on first principles anyway, but at least they tried; yet, for all its flaws, that centralized system has proven more practical than the idealistic, decentralized "web of trust".
They do things like blocking containers & SSH to make installing free certs impossible.
They also have elevated the price of their own certs (that they can conveniently provide) to ridiculous prices in contrast to free certs their customers can't even use...
It would be a huge price-fixing scandal if Congress had any idea of how technology works.
Most of my clients don't have budgets big enough for cloud hosting.
Not only do they just allow you to import any certificate you want, but they literally have a button on the panel to get one from Let's Encrypt for free.
It's shady, but technically not price-fixing unless they are a monopoly. You are free to take your business to somewhere else.
If you can find a company that allows clients to install Let's Encrypt Certs on shared hosting, please let me know.
I used DreamHost in the past and they had a configuration option in their control panel to automatically install and maintain a Let's Encrypt certificate on your behalf [1]. If you are stuck with Web.com you may consider using a reverse proxy/CDN such as CloudFlare.
[1] https://help.dreamhost.com/hc/en-us/articles/216539548-Addin...
The authentication must be done before the encryption parameters are negotiated, in order to protect against man-in-the-middle attacks. There must be some continuity between the two as well, since the authenticated party (both parties can be authenticated, but only one has to be) must digitally sign its parameters.
Any competing authentication scheme would therefore have to operate at a lower layer with even more fundamental infrastructure, and the only thing we've really got that fits the bill is DNS.
EDIT: A standard exists for this already, it's called DANE, though it has very little support: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...
We have clear and seemingly easy go-to examples like proving that yes, this is THE Microsoft, and not a shady fly-by-night spoof in a non-extradition territory, but apart from the headline companies--who as of late seem to like changing their names anyway--this actually isn't easy at all.
Walled gardens like app stores have different trade-offs, admittedly.
Just checked. They’re still using that manually installed cert!
One thing I heard recently which might be a valid point - that LE is based in US, which makes it a subject to US laws. Read from that what you will though.
Let's Encrypt could stop issuing certificates to you, if the administration decided that necessary. This would at least disrupt whatever you were serving. Not that I think this is likely, only possible.
I think LE clealy demonstrated the need for a accessible free ACME authority. But it is high time for more alternatives (EU and China at least). FWIW: Everything around public infrastructure should be run decentralized not-for-profit using national resources. Things like DNS Registrars are silly if you think about it. They just buy it from TLD holders anyway.
I still find it too much of pain in the ass to deal with to justify for my personal stuff. Easier to just click through the warning every time.
I just people who use GoDaddy. They were the one company supporting SOPA when the entire rest of the internet was opposed to SOPA. It's very obvious GoDaddy is run by "business-bros" and not hackers or tech bros.
A friend of mine has had a negative experience insofar as they are working for a small company, using maybe only 15–20 certs and one day they started getting hounded by Let's Encrypt multiple times on the email address they used for ACME registration.
Let's Encrcypt were chasing donations and were promptly told where to stick it with their unsolicited communications. Let's Encrypt also did zero research about who they were targetting, i.e. trying to get a small company to shell out $50k as a "donation".
My friend was of the opinion is that if you're going to charge, then charge, but don't offer it for free and then go looking for payment via the backdoor.
In a business environment getting a donation approved is almost always an entirely different process, involving completely different people in the company, than getting a product or service purchase approved. Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop.
Well, yes, someone actually commented to me in a negative way about using Let's Encrypt ....
Don't shoot the messenger, as they say.
>trying to get a small company to shell out $50k as a "donation".
>Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop.
Does your friend have anything to corroborate this claim? Perhaps the email with identifying details censored?
I have a received an occasional email mentioning donations. They are extremely infrequent and never ask me for a specific amount. I would be incredibly surprised to see evidence of "hounding" and requests for $50,000.
In terms of the actual mail with identifying details removed, I'd have to go back and ask.
I did look before posting here as I thought they had already forwarded it to me, but it was last year, so I have almost certainly cleaned up my Inbox since. I'm not an Inbox hoarder.
The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point...
So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.