Lets Encrypt: Free SSL Certificates. How will other certificate authorities compete?

[MannDude]

I'm sure most of you are aware of https://letsencrypt.orgalready.  How do you all imagine this will change the SSL market and how will other certificate authorities such as GlobalSign, Comodo, etc compete?

 

[devonblzx]

Looks interesting, but not entirely new.  The server side software is new though.

StartSSL has been offering free SSL certificates for several years.  For most businesses, SSL isn't a big cost, and for large businesses I foresee EV, PCI, and auditing still being large ticket items for places like Comodo.

I'd love to see Comodo offering a free SSL, but I'm pretty sure they are only about $10/year right now, so it won't be a huge difference except for maybe the lowendboxers who think $10/year is a lot.

 

[fizzyjoe908]

I support any CA that offers free domain validated SSL certificates. The more the merrier!

The reason why I think Let's Encrypt is better than StartSSL is that the former seems to not care, at least right now, about the content of the site. Unfortunately StartSSL recently updated their process to not offer free certificates to commercial websites.

 

[KuJoe]

Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.

 

[host4go]

it seems like it will work for servers and vps.

What about Shared hosting?...

And btw, theres also Wosign offering a multi domain SSL. (up to 100 domains)

 

[tonyg]

Wow, thanks for the link. It loooks to be a real game changer.

Best part besides being free...two commands and the domain is setup with ssl!

Will defintaly give it a go for my personal sites, the business sites will require a "wait and see".

 

[sv01]

for personal that's okay, for commercial website I prefer paying for CA.

let's encrypt really easy to deploy if you watch the video

 

[MightWeb]

Let's Encrypt is a lovely solution, and I fully support it. Much like devon mentioned however, I do believe the more extensive productlines from companies such as Comodo, Symantec, GeoTrust and Thawte will be the focus points. But yeah, I'm sure they'll lose a substantial number of DV Certificates as time goes by.

 

[GIANT_CRAB]

The biggest difference between LetsEncrypt and the other free SSL guys is that it is highly automated and there are big sponsors.

What this means is that, with the help of EFF and Mozilla, this product gets marketed to the web and is more likely to be used. EFF, Tor, Mozilla and many others have been tweeting about LetsEncrypt since a few months back and many users (including me) are excited to use it. 

I doubt that this will have a major effect against GlobalSign/Comodo, etc because they are the big players, no sane SME or company will use a free SSL service and if you need EV SSL, LetsEncrypt won't be able to do it either. 

 

[lbft]

Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.

While this is a decent point (having a company with an insurance policy to sue), you do realise that any trusted CA can issue a cert for your domain any time they like, right? The only thing stopping them is policy and procedure along with the risk that if they get caught, they could get tossed out of browsers' certificate stores (like DigiNotar and CNNIC). If someone's issuing certs they shouldn't be issuing then those protections have already failed.

There are some really untrustworthy organisations who can issue certs that you'll accept, most notably repressive governments.

I doubt that this will have a major effect against GlobalSign/Comodo, etc because they are the big players, no sane SME or company will use a free SSL service and if you need EV SSL, LetsEncrypt won't be able to do it either. 

IdenTrust isn't bootstrapping the Let's Encrypt CA out of the goodness of their hearts, they're likely hoping to be able to upsell people to other products like wildcards and EV.

 

[KuJoe]

While this is a decent point (having a company with an insurance policy to sue), you do realise that any trusted CA can issue a cert for your domain any time they like, right? The only thing stopping them is policy and procedure along with the risk that if they get caught, they could get tossed out of browsers' certificate stores (like DigiNotar and CNNIC). If someone's issuing certs they shouldn't be issuing then those protections have already failed.

There are some really untrustworthy organisations who can issue certs that you'll accept, most notably repressive governments.

I understand that but my comment still holds true.

 

[Francisco]

I support any CA that offers free domain validated SSL certificates. The more the merrier!

The reason why I think Let's Encrypt is better than StartSSL is that the former seems to not care, at least right now, about the content of the site. Unfortunately StartSSL recently updated their process to not offer free certificates to commercial websites.

That has been their policy for a long time. If you're using it for a control panel or for a billing panel, etc, you're going to get denied.

Nothing against free SSLs, but I feel more comfortable with paying for them. If something happens with an SSL I paid for I have more traction if there were legal or financial repercussions.

That's likely what many of the CA's are hoping on, that people are dumb/etc and will keep paying. LetsEncrypt will get merged into cPanel, likely sooner rather than later. The API is simple for them to integrate since they already have a CSR system in WHM itself.

I have a meeting with globalsign tomorrow and plan to bring this up, I fully expect for them to tell me it's going to be a fad and die off, though.

IdenTrust isn't bootstrapping the Let's Encrypt CA out of the goodness of their hearts, they're likely hoping to be able to upsell people to other products like wildcards and EV.

Right, which is likely why LE is refusing to say much in regards to wildcards until their root certificate gets accepted by Microsoft, etc. Will it? Probably.

Francisco

 

[rupe]

Now that Let's Encrypt is out of beta, I figured I'd give this topic a bump to see what everyone's experience with them has been.


Francisco, what happened at your globalsign meeting when you brought the topic up? Or has it been so long that you forget?

 

[wlanboy]

I buy domains and certs in 3 years terms. So only one cert was out-of-date.
I tried let's crypt with that domain and it was hassle free. No login, no passwords, just a recover email-address and a webroot folder to check if I am running the domain.


Got my ssl cert running within 1 minute. 3 minutes if you have to install phyton.
Renewing is a simple bash call because all information about where and who is stored in /etc. I will move my private domains to let's crypt - right out of that dead-simple server-side appoach.
Never thought that someone can build an automated fire-and-forget ssl cert renewal process.

 

[CableChief]

The integration with other software is great so far and is nifty for SolusVM (with bugs) and cPanel. Business owners will most likely be skeptical aka there's no such thing as a free lunch. But I'm all up for it, glad to see browser adoption is going well and they've even got it working on XP! 

 

[Hxxx]

Not sure if for business let's encrypt is trusted enough. For now I prefer to buy certs from known authorities. 

 

[DomainBop]

Not sure if for business let's encrypt is trusted enough. For now I prefer to buy certs from known authorities. 

Let's Encrypt issues domain-validation only certificates so the trust factor will be lower in the eyes of many site visitors than organization validated SSL or extended validated SSL certificates.  I really don't expect to see any ecommerce, financial, healthcare, etc businesses switching to Let's Encrypt.


Domain validation certificates are also much easier for hackers, malware, and phishing site operators to obtain, and there have already been some cases of malware sites being setup using Let's Encrypt certificates. TrendMicro report from January : http://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-being-abused-by-malvertisers/ .

Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this should not validate the identity of the recipient. However, end users less aware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public.


While Let’s Encrypt has stated that they do not believe CAs should act as a content filter, they do check domains that it issues against the Google safe browsing API.


Ideally, CAs should be willing to cancel certificates issued to illicit parties that have been abused by various threat actors. However, security on the infrastructure is only possible when all critical players – browsers, CAs, and anti-virus companies – play an active role in weeding out bad actors. A key takeaway from the malvertising incident is that website owners should ensure that they secure their own website control panels, to ensure that new subdomains beyond their control are not created without their knowledge...

Let's Encrypt is good because it will allow people to use SSL with their crappy blogs or photo galleries that nobody but themselves and their family want to look at but it's not going to replace paid OV and EV certificates used by many businesses (their certificates will probably be very popular with summer hosts though who don't want to make a "large investment" of $10 in a paid cert).

 

[wlanboy]

Not bad at all:

 

[mitgib]

I had this question awhile back, and posed it to gogetsll, this was their responce


Dear Tim,at this moment yes, we are pending on own CA registration.Dead business? )) Lets Encrypt has 0,07% of the market, it is nothing. Millions of SSL issued daily by all others.http://w3techs.com/technologies/overview/ssl_certificate/allWe see strong increase in sales as well as all others.Lets Encrypt offers only Domain validation single domain certs, while most income is from Wildcards, Multi-Domains and OV/EV certs.Lets Encrypt issues SSL for 90-days only, Google and others do not give such trust to it comparing to 1-2-3 years certs.Lets Encrypt just got those customers who never had even 4$ to pay for SSL.Best wishes,Evgeny RuhmanGGSSL Level III Engineer

 

[River]

 EV, PCI, and auditing still being large ticket items for places like Comodo

That's the big thing. Many big businesses, specifically financial, medical, and other systems that process sensitive records and are subject to further regulation on security will not be using the free certificate they can get. They will be using EV and other more advanced solutions.