New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Lets Encrypt
monkeyhostgroup
Member
in General
What are peoples thoughts on Let's Encrypt Wildcard SSL's that they are launching, anyone got any views?
Also general thoughts on Let's Encrypt, whos a fan who isn't a fan.
Personally, I like them, its great for free SSL, but still poses the age old view, if its free whats the catch? Degraded performance, not as secure as the big players?
As I say, me personally, I find it useful for getting a quick and effective SSL.
Thoughts appreciated
This discussion has been closed.
Comments
They're gonna be wild.
https://www.lowendtalk.com/discussion/118741/let-s-encrypt-wildcard-certificates-coming-in-january-2018
Why would the CA of a certificate make the TLS implementation less secure or degrade performance?
@ishaq not saying that, but some people on the internet do question its integrity because its free.
Sure, and they're wrong to do so. Unfortunately the marketing campaigns of various CAs have been very, very effective in making people believe that there are quality differences between certificate providers; in practice, there's just DV, EV, and a few other levels, and it's not going to matter what CA you use.
Let's Encrypt provides DV certificates like pretty much every certificate vendor offers, and there's no reason whatsoever for it to be any 'less trustworthy', nor does not using them make your site any more secure. The TLS CA system is such that any CA can sign a certificate for any hostname, so long as they are a CA that's trusted by clients, regardless of what CA was used for a given hostname before.
EDIT: Realized I forgot to address this:
There was never really a valid reason to require payment for DV certificates in the first place, CAs just did so because everybody else did, and there was money to be made. The cost of handing out a single DV certificate is absolutely negligible, and it's totally viable to offer them for free once operational costs are covered (which they are for LE, through sponsors and donations).
I would prefer standalone cert for each domain and subdomain. It would be same as secure as other SSL.
I remember reading that one high profile site bought a certificate (lesser chain) to ensure the handshake didn't spill over a network packet to improve perceived speed.
I would prefer if there'd also be a second (& third, etc) supplier of free certs. With Let's Encrypt being the only one, it may go down sometime in the future, and with no other free options, you will have no choice other than pay for a cert. It is impossible to migrate from HTTPS back to HTTP without having a valid cert on the HTTPS side (else your visitors all will get a big scary red screen). So you'll have to keep obtaining a cert somehow, if free options get removed, no choice but to pay.
@joepie91 I totally agree, My message in the OP was literally just saying what others think, and getting some form of response. I totally agree with what you have said, you hit the nail on the head, I personally appreciate free over paid, as if a company is willing to do something for free then that shows they are committed.
For me, I have looked at the security, compared it to other services and there is no difference, it is 100% as secure, its the same strength used the same encryption standards and it passes completely as a valid SSL certificate.
I personally love Let's Encrypt and will likely make use of the wildcard SSL's when they are rolled out.
At present I am not aware of any other free providers, and as @joepie91 rightly said, the whole idea behind CA is that they are trusted, well the community clearly trusts Let's Encrypt.
I use Let's Encypt, I enjoy free certificates but for my business I use Comodo certificates because of the length of time it allows to be active (3 years) and also other benefits such as site seal to enhance the perception of customer trust.
This is another hot button topic as many people believe that it has absolutely no effect whatsoever, I personally do not know, but if I was running a eCommerce site with HTTP Strict Transport Security (HSTS), I personally would not use it.
@monkeyhostgroup Personally, I do not trust Let's Encrypt not do I trust the CA...
God bless you!
Half the point of Let's Encrypt is to automate renewal. This actually increases the security of the certificates somewhat, as certificates with a shorter expiry more quickly become useless if the private key leaks for some reason. Given the relative lack of certificate revocation checks in software currently, this does matter.
In other words: if the short expiry time is a problem, then you're using the wrong setup. You should have set up something that automatically renews the certificates, at which point the short expiry simply doesn't matter anymore.
SSL seals are a scam, and I'd consider it very dishonest to use them. They're absolutely meaningless.
HSTS works absolutely fine with Let's Encrypt. There is no difference there with other CAs. It's a HTTPS thing, not specific to any one CA.
@Joepie91
Granted you have a valid point my issue is that the certificate will not renew, whether it is a bug in your server software, cronjob fails, server down, unable to receive an e-mail. Having a long duration for your certificate is easier.
Come on, they are used to enhance the perception of trust. When you click on them they give relevant information as to the benefits that you will receive from the provider if something were to go wrong. When used correctly, that can enhance your site and make it look more professional.
Yes it does, but if your certificate were to go down then your entire site will go down. So having a long certificate duration will reduce the several points of failure that Let's encrypt adds even if it slightly, by your words, decrease security.
I would argue that it's still increased security because your site goes down, preventing insecure access. Unless your not using HSTS and want visitors to use your site without TLS?
Also, as a site admin one has to take some ownership and actually maintain the stuff necessary for operation. I consider making sure certificates are valid as just another thing I need to do... like applying operating system updates.
Which one are you more likely to automate - renewal every 3 years, or every 3 months with the tools already supplied, free?
Automation is good. Humans miss things. In the unlikely case it fails, your cron job will retry. If it keeps failing letsencrypt will email you to let you know at least twice.
In the unlikely event that renewal fails, you will receive a number of e-mails from Let's Encrypt to notify you of this:
On top of that, there are third-party notification services for this kind of thing, too, if you're really paranoid. It's pretty hard to mess this up.
That, to me, reads as "I have no problem lying to my customers about security they won't get", which I do not consider in any way acceptable. No amount of marketing bullshit like "enhances the perception of trust" makes up for that.
By the way:
This translates to "nothing". The "insurance" that is included with certificates is phrased in such a way that it will essentially never cover anything ever. It, too, is a scam.
Yes, that's the point. It prevents downgrade attacks by enforcing that. You can't both prevent downgrade attacks and still allow HTTP access.
Certificates don't "go down", by the way. They are served independently by your server, and do not rely on third-party infrastructure. You're only reliant on a third party for the renewal.
Let's Encrypt does not "add" any points of failure. It's the same amount of points of failure as with any other CA. You just renew more frequently.
If your webserver isn't configured with sane timeouts for OCSP - then sure - you can actually get timeouts in browsers and/or end up with so many stuck OCSP connections that your webserver runs out of connections.
It's not long time ago that OCSP went completely down at Let's Encrypt, actually causing major issues for a bunch of webhosting providers around the world. (cPanel default OCSP settings will cause issues on high traffic servers).
... and OCSP is pretty much third-party infrastructure.
@joepie91
Okay you have several valid points, but I still will not use it on an eCommerce website with HTTP Strict Transport Security (HSTS).
Each renewal of Let's Encrypt can be a potential point of failure from a system admin's perspective, you understand this.
The issue whether placing a site seal on your site is dishonest or an outright lie is pretty extreme. While the company will try their best in order to defend against potential liability I do not believe that this is dishonest to have on an eCommerce website. While it does provide little to no benefit in terms of security, I believe customers would like to see it. That is why I said the "perception of trust."
God bless you!
Most people have just been trained to look for the lock. There's little point in propagating the myth that paid DV certs are better than free DV certs.
EV in some cases provides some significant benefits. But, is your site a bank? If not, it is worth considering if the extra man hours is worth the time given that unless your customers know what should be shown in the organisation label, it'll be no more benefit than a placebo over DV.
Theoretically? Yes, it could be an issue. In practice? No, it won't be. Between your cronjobs (you do have reporting set up for failed system tasks, right?), Let's Encrypt's e-mail notifications, and optional third-party certificate monitoring, the chance of this causing an issue is essentially nil.
And if Let's Encrypt really does go down, and it really does stay down for so long that there's no chance it'll recover in time for your renewal, then what's to stop you from manually purchasing a certificate from another vendor?
There's really no excuse here, it's not a realistic availability issue. Not for an e-commerce site, either. It all comes down to how diligent you are as a system administrator.
It suggests special security. It is used with the intention to do so. It does not provide special security. That is dishonest, because the claims/implications do not match the service provided. This is not rocket science.
And I really don't consider it "extreme" to call out dishonest marketing towards customers, not in the slightest. I'd consider it more extreme to present this as something completely normal and wave it away as "it's just about making us look more trustworthy". Which, ironically, is precisely what you are not when you lie to your customers.
EDIT: I guess this can be phrased more succinctly as: If you need to make yourself look more trustworthy, that probably means you weren't very trustworthy to begin with.
You might have a higher chance to forget to renew the certificate 3 years later because, you already forgot it, didn't you?
No difference, except you are paying for the same root certificate / domain name validated.
I think I agree with points made above by other users, that if Let's Encrypt goes, you are a bit screwed because the trust element disappears, so I agree that I would like to see more free providers out there to allow you to very quickly reinstate a new SSL certificate to avoid downtime.