# Lets Encrypt: Free SSL Certificates. How will other certificate authorities compete?



## MannDude (Apr 15, 2015)

I'm sure most of you are aware of https://letsencrypt.orgalready.  How do you all imagine this will change the SSL market and how will other certificate authorities such as GlobalSign, Comodo, etc compete?


----------



## devonblzx (Apr 15, 2015)

Looks interesting, but not entirely new.  The server side software is new though.

StartSSL has been offering free SSL certificates for several years.  For most businesses, SSL isn't a big cost, and for large businesses I foresee EV, PCI, and auditing still being large ticket items for places like Comodo.

I'd love to see Comodo offering a free SSL, but I'm pretty sure they are only about $10/year right now, so it won't be a huge difference except for maybe the lowendboxers who think $10/year is a lot.


----------



## fizzyjoe908 (Apr 15, 2015)

I support any CA that offers free domain validated SSL certificates. The more the merrier!

The reason why I think Let's Encrypt is better than StartSSL is that the former seems to not care, at least right now, about the content of the site. Unfortunately StartSSL recently updated their process to not offer free certificates to commercial websites.


----------



## KuJoe (Apr 15, 2015)

Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.


----------



## host4go (Apr 15, 2015)

it seems like it will work for servers and vps.

What about Shared hosting?...

And btw, theres also Wosign offering a multi domain SSL. (up to 100 domains)


----------



## tonyg (Apr 15, 2015)

Wow, thanks for the link. It loooks to be a real game changer.

Best part besides being free...two commands and the domain is setup with ssl!

Will defintaly give it a go for my personal sites, the business sites will require a "wait and see".


----------



## sv01 (Apr 16, 2015)

for personal that's okay, for commercial website I prefer paying for CA.

let's encrypt really easy to deploy if you watch the video


----------



## MightWeb (Apr 16, 2015)

Let's Encrypt is a lovely solution, and I fully support it. Much like devon mentioned however, I do believe the more extensive productlines from companies such as Comodo, Symantec, GeoTrust and Thawte will be the focus points. But yeah, I'm sure they'll lose a substantial number of DV Certificates as time goes by.


----------



## GIANT_CRAB (Apr 16, 2015)

The biggest difference between LetsEncrypt and the other free SSL guys is that it is highly automated and there are big sponsors.

What this means is that, with the help of EFF and Mozilla, this product gets marketed to the web and is more likely to be used. EFF, Tor, Mozilla and many others have been tweeting about LetsEncrypt since a few months back and many users (including me) are excited to use it. 

I doubt that this will have a major effect against GlobalSign/Comodo, etc because they are the big players, no sane SME or company will use a free SSL service and if you need EV SSL, LetsEncrypt won't be able to do it either.


----------



## lbft (Apr 16, 2015)

KuJoe said:


> Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.


While this is a decent point (having a company with an insurance policy to sue), you do realise that any trusted CA can issue a cert for your domain any time they like, right? The only thing stopping them is policy and procedure along with the risk that if they get caught, they could get tossed out of browsers' certificate stores (like DigiNotar and CNNIC). If someone's issuing certs they shouldn't be issuing then those protections have already failed.

There are some really untrustworthy organisations who can issue certs that you'll accept, most notably repressive governments.



GIANT_CRAB said:


> I doubt that this will have a major effect against GlobalSign/Comodo, etc because they are the big players, no sane SME or company will use a free SSL service and if you need EV SSL, LetsEncrypt won't be able to do it either.


IdenTrust isn't bootstrapping the Let's Encrypt CA out of the goodness of their hearts, they're likely hoping to be able to upsell people to other products like wildcards and EV.


----------



## KuJoe (Apr 16, 2015)

lbft said:


> While this is a decent point (having a company with an insurance policy to sue), you do realise that any trusted CA can issue a cert for your domain any time they like, right? The only thing stopping them is policy and procedure along with the risk that if they get caught, they could get tossed out of browsers' certificate stores (like DigiNotar and CNNIC). If someone's issuing certs they shouldn't be issuing then those protections have already failed.
> 
> There are some really untrustworthy organisations who can issue certs that you'll accept, most notably repressive governments.


I understand that but my comment still holds true.


----------



## Francisco (Apr 16, 2015)

fizzyjoe908 said:


> I support any CA that offers free domain validated SSL certificates. The more the merrier!
> 
> The reason why I think Let's Encrypt is better than StartSSL is that the former seems to not care, at least right now, about the content of the site. Unfortunately StartSSL recently updated their process to not offer free certificates to commercial websites.


That has been their policy for a long time. If you're using it for a control panel or for a billing panel, etc, you're going to get denied.



KuJoe said:


> Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.


That's likely what many of the CA's are hoping on, that people are dumb/etc and will keep paying. LetsEncrypt will get merged into cPanel, likely sooner rather than later. The API is simple for them to integrate since they already have a CSR system in WHM itself.

I have a meeting with globalsign tomorrow and plan to bring this up, I fully expect for them to tell me it's going to be a fad and die off, though.



lbft said:


> IdenTrust isn't bootstrapping the Let's Encrypt CA out of the goodness of their hearts, they're likely hoping to be able to upsell people to other products like wildcards and EV.


Right, which is likely why LE is refusing to say much in regards to wildcards until their root certificate gets accepted by Microsoft, etc. Will it? Probably.

Francisco


----------



## rupe (Apr 16, 2016)

Now that Let's Encrypt is out of beta, I figured I'd give this topic a bump to see what everyone's experience with them has been.


Francisco, what happened at your globalsign meeting when you brought the topic up? Or has it been so long that you forget?


----------



## wlanboy (Apr 16, 2016)

I buy domains and certs in 3 years terms. So only one cert was out-of-date.
I tried let's crypt with that domain and it was hassle free. No login, no passwords, just a recover email-address and a webroot folder to check if I am running the domain.


Got my ssl cert running within 1 minute. 3 minutes if you have to install phyton.
Renewing is a simple bash call because all information about where and who is stored in /etc. I will move my private domains to let's crypt - right out of that dead-simple server-side appoach.
Never thought that someone can build an automated fire-and-forget ssl cert renewal process.


----------



## CableChief (Apr 16, 2016)

The integration with other software is great so far and is nifty for SolusVM (with bugs) and cPanel. Business owners will most likely be skeptical aka there's no such thing as a free lunch. But I'm all up for it, glad to see browser adoption is going well and they've even got it working on XP!


----------



## Hxxx (Apr 17, 2016)

Not sure if for business let's encrypt is trusted enough. For now I prefer to buy certs from known authorities.


----------



## DomainBop (Apr 17, 2016)

Hxxx said:


> Not sure if for business let's encrypt is trusted enough. For now I prefer to buy certs from known authorities.



Let's Encrypt issues domain-validation only certificates so the trust factor will be lower in the eyes of many site visitors than organization validated SSL or extended validated SSL certificates.  I really don't expect to see any ecommerce, financial, healthcare, etc businesses switching to Let's Encrypt.


Domain validation certificates are also much easier for hackers, malware, and phishing site operators to obtain, and there have already been some cases of malware sites being setup using Let's Encrypt certificates. TrendMicro report from January : http://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-being-abused-by-malvertisers/ .



> Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this should not validate the identity of the recipient. However, end users less aware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public.
> 
> 
> While Let’s Encrypt has stated that they do not believe CAs should act as a content filter, they do check domains that it issues against the Google safe browsing API.
> ...



Let's Encrypt is good because it will allow people to use SSL with their crappy blogs or photo galleries that nobody but themselves and their family want to look at but it's not going to replace paid OV and EV certificates used by many businesses (_their certificates will probably be very popular with summer hosts though who don't want to make a "large investment" of $10 in a paid cert_).


----------



## wlanboy (Apr 17, 2016)

Not bad at all:


----------



## mitgib (Apr 19, 2016)

I had this question awhile back, and posed it to gogetsll, this was their responce


Dear Tim,at this moment yes, we are pending on own CA registration.Dead business? )) Lets Encrypt has 0,07% of the market, it is nothing. Millions of SSL issued daily by all others.http://w3techs.com/technologies/overview/ssl_certificate/allWe see strong increase in sales as well as all others.Lets Encrypt offers only Domain validation single domain certs, while most income is from Wildcards, Multi-Domains and OV/EV certs.Lets Encrypt issues SSL for 90-days only, Google and others do not give such trust to it comparing to 1-2-3 years certs.Lets Encrypt just got those customers who never had even 4$ to pay for SSL.Best wishes,Evgeny RuhmanGGSSL Level III Engineer


----------



## River (Apr 19, 2016)

devonblzx said:


> EV, PCI, and auditing still being large ticket items for places like Comodo



That's the big thing. Many big businesses, specifically financial, medical, and other systems that process sensitive records and are subject to further regulation on security will not be using the free certificate they can get. They will be using EV and other more advanced solutions.


----------



## graeme (Apr 20, 2016)

DomainBop said:


> Let's Encrypt is good because it will allow people to use SSL with their crappy blogs or photo galleries that nobody but themselves and their family want to look at but it'sl not going to replace paid OV and EV certificates used by many businesses (_their certificates will probably be very popular with summer hosts though who don't want to make a "large investment" of $10 in a paid cert_).



AWS uses a certificate that is not EV and has no organisation info. Not a summer host! Online retailers seem to use a mix of cert types.


I do not understand the point of OV certs. There is no obvious indication of the difference so very few people will notice that it is any different from DV.

DV certificates are a big chuck of the certificate issuing business (lower cost but bigger volume), and it must be high margin (because it is entirely automated).


----------



## Localnode (Apr 20, 2016)

Why do people pay more for a Symantec, Thawte, or Globalsign certificate when Comodo are super cheap?


I don't see Comodo, or any other CA having trouble. Symantec has its brand name and their little "trust seal" while Globalsign has Stop The Hacker, and Comodo has their hackerproof thing.
EV and OV SSL's will always have a place - and I don't see LE planning on issuing those.


----------



## AMDbuilder (Apr 20, 2016)

Localnode said:


> Why do people pay more for a Symantec, Thawte, or Globalsign certificate when Comodo are super cheap?



Why does someone buy their hosting from you instead of someone else?


----------



## River (Apr 20, 2016)

Localnode said:


> Why do people pay more for a Symantec, Thawte, or Globalsign certificate when Comodo are super cheap?
> 
> 
> I don't see Comodo, or any other CA having trouble. Symantec has its brand name and their little "trust seal" while Globalsign has Stop The Hacker, and Comodo has their hackerproof thing.
> EV and OV SSL's will always have a place - and I don't see LE planning on issuing those.



Because people are paying for the name. Why does someone buy the Corvette when the Honda does just fine?


Another thing is sometimes they will offer like $1 million in insurance for hacked sites or whatever, they all probably don't do that. So it might be feature (addon) based as well.


----------



## Localnode (Apr 21, 2016)

River said:


> Because people are paying for the name. Why does someone buy the Corvette when the Honda does just fine?
> 
> 
> Another thing is sometimes they will offer like $1 million in insurance for hacked sites or whatever, they all probably don't do that. So it might be feature (addon) based as well.



I basically did say they paid for the brand name...


----------



## graeme (Apr 23, 2016)

CYA. The cost is small in context, its not their money (its the companies) and by using a known brand they cover themselves if something goes wrong.


This is the reasoning behind almost all technology (product and service) purchases.


----------



## retrack (Jul 4, 2016)

Automated or not, free or not, a CA is all about trust and this is relative to everyone's environment. StartSSL presumably linked to Chinese government (not my statement) https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html will be ok for some but not for others. Likewise where Letsencrypt brings massive improvements on the technical security layer with the automated process, the trustworthiness is not the same for everyone.


----------



## SafehouseCloud (Jul 13, 2016)

Seems until now not so much changed on he market.


----------

