Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Lets Encrypt
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Lets Encrypt

What are peoples thoughts on Let's Encrypt Wildcard SSL's that they are launching, anyone got any views?
Also general thoughts on Let's Encrypt, whos a fan who isn't a fan.

Personally, I like them, its great for free SSL, but still poses the age old view, if its free whats the catch? Degraded performance, not as secure as the big players?

As I say, me personally, I find it useful for getting a quick and effective SSL.

Thoughts appreciated :)

Comments

  • trvztrvz Member

    They're gonna be wild.

  • IshaqIshaq Member

    @monkeyhostgroup said: Degraded performance, not as secure as the big players?

    Why would the CA of a certificate make the TLS implementation less secure or degrade performance?

  • @ishaq not saying that, but some people on the internet do question its integrity because its free.

  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    @monkeyhostgroup said:
    @ishaq not saying that, but some people on the internet do question its integrity because its free.

    Sure, and they're wrong to do so. Unfortunately the marketing campaigns of various CAs have been very, very effective in making people believe that there are quality differences between certificate providers; in practice, there's just DV, EV, and a few other levels, and it's not going to matter what CA you use.

    Let's Encrypt provides DV certificates like pretty much every certificate vendor offers, and there's no reason whatsoever for it to be any 'less trustworthy', nor does not using them make your site any more secure. The TLS CA system is such that any CA can sign a certificate for any hostname, so long as they are a CA that's trusted by clients, regardless of what CA was used for a given hostname before.

    EDIT: Realized I forgot to address this:

    Personally, I like them, its great for free SSL, but still poses the age old view, if its free whats the catch?

    There was never really a valid reason to require payment for DV certificates in the first place, CAs just did so because everybody else did, and there was money to be made. The cost of handing out a single DV certificate is absolutely negligible, and it's totally viable to offer them for free once operational costs are covered (which they are for LE, through sponsors and donations).

    Thanked by 3rm_ MasonR JahAGR
  • I would prefer standalone cert for each domain and subdomain. It would be same as secure as other SSL.

  • I remember reading that one high profile site bought a certificate (lesser chain) to ensure the handshake didn't spill over a network packet to improve perceived speed.

  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2017

    monkeyhostgroup said: if its free whats the catch?

    I would prefer if there'd also be a second (& third, etc) supplier of free certs. With Let's Encrypt being the only one, it may go down sometime in the future, and with no other free options, you will have no choice other than pay for a cert. It is impossible to migrate from HTTPS back to HTTP without having a valid cert on the HTTPS side (else your visitors all will get a big scary red screen). So you'll have to keep obtaining a cert somehow, if free options get removed, no choice but to pay.

    Thanked by 1ucxo
  • @joepie91 I totally agree, My message in the OP was literally just saying what others think, and getting some form of response. I totally agree with what you have said, you hit the nail on the head, I personally appreciate free over paid, as if a company is willing to do something for free then that shows they are committed.

    For me, I have looked at the security, compared it to other services and there is no difference, it is 100% as secure, its the same strength used the same encryption standards and it passes completely as a valid SSL certificate.

    I personally love Let's Encrypt and will likely make use of the wildcard SSL's when they are rolled out.

    At present I am not aware of any other free providers, and as @joepie91 rightly said, the whole idea behind CA is that they are trusted, well the community clearly trusts Let's Encrypt.

  • ljsealsljseals Member
    edited July 2017

    I use Let's Encypt, I enjoy free certificates but for my business I use Comodo certificates because of the length of time it allows to be active (3 years) and also other benefits such as site seal to enhance the perception of customer trust.

    This is another hot button topic as many people believe that it has absolutely no effect whatsoever, I personally do not know, but if I was running a eCommerce site with HTTP Strict Transport Security (HSTS), I personally would not use it.

    @monkeyhostgroup Personally, I do not trust Let's Encrypt not do I trust the CA...

    God bless you!

  • joepie91joepie91 Member, Patron Provider

    ljseals said: for my business I use Comodo certificates because of the length of time it allows to be active (3 years)

    Half the point of Let's Encrypt is to automate renewal. This actually increases the security of the certificates somewhat, as certificates with a shorter expiry more quickly become useless if the private key leaks for some reason. Given the relative lack of certificate revocation checks in software currently, this does matter.

    In other words: if the short expiry time is a problem, then you're using the wrong setup. You should have set up something that automatically renews the certificates, at which point the short expiry simply doesn't matter anymore.

    ljseals said: also other benefits such as site seal to enhance the perception of customer trust.

    SSL seals are a scam, and I'd consider it very dishonest to use them. They're absolutely meaningless.

    ljseals said: This is another hot button topic as many people believe that it has absolutely no effect whatsoever, I personally do not know, but if I was running a eCommerce site with HTTP Strict Transport Security (HSTS), I personally would not use it.

    HSTS works absolutely fine with Let's Encrypt. There is no difference there with other CAs. It's a HTTPS thing, not specific to any one CA.

    Thanked by 1ucxo
  • ljsealsljseals Member
    edited July 2017

    @Joepie91

    @joepie91 said:
    Half the point of Let's Encrypt is to automate renewal. This actually increases the security of the certificates somewhat, as certificates with a shorter expiry more quickly become useless if the private key leaks for some reason. Given the relative lack of certificate revocation checks in software currently, this does matter.

    In other words: if the short expiry time is a problem, then you're using the wrong setup. You should have set up something that automatically renews the certificates, at which point the short expiry simply doesn't matter anymore.

    Granted you have a valid point my issue is that the certificate will not renew, whether it is a bug in your server software, cronjob fails, server down, unable to receive an e-mail. Having a long duration for your certificate is easier.

    SSL seals are a scam, and I'd consider it very dishonest to use them. They're absolutely meaningless.

    Come on, they are used to enhance the perception of trust. When you click on them they give relevant information as to the benefits that you will receive from the provider if something were to go wrong. When used correctly, that can enhance your site and make it look more professional.

    HSTS works absolutely fine with Let's Encrypt. There is no difference there with other CAs. It's a HTTPS thing, not specific to any one CA.

    Yes it does, but if your certificate were to go down then your entire site will go down. So having a long certificate duration will reduce the several points of failure that Let's encrypt adds even if it slightly, by your words, decrease security.

  • @ljseals said:
    but if your certificate were to go down then your entire site will go down. So having a long certificate duration will reduce the several points of failure that Let's encrypt adds even if it slightly, by your words, decrease security.

    I would argue that it's still increased security because your site goes down, preventing insecure access. Unless your not using HSTS and want visitors to use your site without TLS?

    Also, as a site admin one has to take some ownership and actually maintain the stuff necessary for operation. I consider making sure certificates are valid as just another thing I need to do... like applying operating system updates.

  • jackbjackb Member, Host Rep
    edited July 2017

    @ljseals said:
    @Joepie91
    Yes it does, but if your certificate were to go down then your entire site will go down. So having a long certificate duration will reduce the several points of failure that Let's encrypt adds even if it slightly, by your words, decrease security.

    Which one are you more likely to automate - renewal every 3 years, or every 3 months with the tools already supplied, free?

    Automation is good. Humans miss things. In the unlikely case it fails, your cron job will retry. If it keeps failing letsencrypt will email you to let you know at least twice.

    Thanked by 1joepie91
  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    ljseals said: Granted you have a valid point my issue is that the certificate will not renew, whether it is a bug in your server software, cronjob fails, server down, unable to receive an e-mail. Having a long duration for your certificate is easier.

    In the unlikely event that renewal fails, you will receive a number of e-mails from Let's Encrypt to notify you of this:

    On top of that, there are third-party notification services for this kind of thing, too, if you're really paranoid. It's pretty hard to mess this up.

    ljseals said: Come on, they are used to enhance the perception of trust. When you click on them they give relevant information as to the benefits that you will receive from the provider if something where to go wrong. When used correctly, that can enhance your site and make it look more professional.

    That, to me, reads as "I have no problem lying to my customers about security they won't get", which I do not consider in any way acceptable. No amount of marketing bullshit like "enhances the perception of trust" makes up for that.

    By the way:

    the benefits that you will receive from the provider if something where to go wrong

    This translates to "nothing". The "insurance" that is included with certificates is phrased in such a way that it will essentially never cover anything ever. It, too, is a scam.

    ljseals said: Yes it does, but if your certificate were to go down then your entire site will go down.

    Yes, that's the point. It prevents downgrade attacks by enforcing that. You can't both prevent downgrade attacks and still allow HTTP access.

    Certificates don't "go down", by the way. They are served independently by your server, and do not rely on third-party infrastructure. You're only reliant on a third party for the renewal.

    ljseals said: So having a long certificate duration will reduce the several points of failure that Let's encrypt adds

    Let's Encrypt does not "add" any points of failure. It's the same amount of points of failure as with any other CA. You just renew more frequently.

    Thanked by 1Aidan
  • ZerpyZerpy Member

    @joepie91 said:
    Certificates don't "go down", by the way. They are served independently by your server, and do not rely on third-party infrastructure. You're only reliant on a third party for the renewal.

    If your webserver isn't configured with sane timeouts for OCSP - then sure - you can actually get timeouts in browsers and/or end up with so many stuck OCSP connections that your webserver runs out of connections.

    It's not long time ago that OCSP went completely down at Let's Encrypt, actually causing major issues for a bunch of webhosting providers around the world. (cPanel default OCSP settings will cause issues on high traffic servers).

    ... and OCSP is pretty much third-party infrastructure.

  • ljsealsljseals Member
    edited July 2017

    @joepie91

    Okay you have several valid points, but I still will not use it on an eCommerce website with HTTP Strict Transport Security (HSTS).

    Each renewal of Let's Encrypt can be a potential point of failure from a system admin's perspective, you understand this.

    The issue whether placing a site seal on your site is dishonest or an outright lie is pretty extreme. While the company will try their best in order to defend against potential liability I do not believe that this is dishonest to have on an eCommerce website. While it does provide little to no benefit in terms of security, I believe customers would like to see it. That is why I said the "perception of trust."

    God bless you!

  • jackbjackb Member, Host Rep
    edited July 2017

    @ljseals said:
    @joepie91

    Okay you have several valid points, but I still will not use it on an eCommerce website with HTTP Strict Transport Security (HSTS).

    Each renewal of Let's Encrypt can be a potential point of failure from a system admin's perspective, you understand this.

    The issue whether placing a site seal on your site is dishonest or an outright lie is pretty extreme. While the company will try their best in order to defend against potential liability I do not believe that this is dishonest to have on an eCommerce website. While it does provides little to no benefit in terms of security, I believe customers would like to see it. That is why I said the "perception of trust."

    God bless you!

    Most people have just been trained to look for the lock. There's little point in propagating the myth that paid DV certs are better than free DV certs.

    EV in some cases provides some significant benefits. But, is your site a bank? If not, it is worth considering if the extra man hours is worth the time given that unless your customers know what should be shown in the organisation label, it'll be no more benefit than a placebo over DV.

  • joepie91joepie91 Member, Patron Provider
    edited July 2017

    ljseals said: Each renewal of Let's Encrypt can be a potential point of failure from a system admin's perspective, you understand this.

    Theoretically? Yes, it could be an issue. In practice? No, it won't be. Between your cronjobs (you do have reporting set up for failed system tasks, right?), Let's Encrypt's e-mail notifications, and optional third-party certificate monitoring, the chance of this causing an issue is essentially nil.

    And if Let's Encrypt really does go down, and it really does stay down for so long that there's no chance it'll recover in time for your renewal, then what's to stop you from manually purchasing a certificate from another vendor?

    There's really no excuse here, it's not a realistic availability issue. Not for an e-commerce site, either. It all comes down to how diligent you are as a system administrator.

    ljseals said: The issue whether placing a site seal on your site is dishonest or an outright lie is pretty extreme. While the company will try their best in order to defend against potential liability I do not believe that this is dishonest to have on an eCommerce website. While it does provides little to no benefit in terms of security, I believe customers would like to see it. That is why I said the "perception of trust."

    It suggests special security. It is used with the intention to do so. It does not provide special security. That is dishonest, because the claims/implications do not match the service provided. This is not rocket science.

    And I really don't consider it "extreme" to call out dishonest marketing towards customers, not in the slightest. I'd consider it more extreme to present this as something completely normal and wave it away as "it's just about making us look more trustworthy". Which, ironically, is precisely what you are not when you lie to your customers.

    EDIT: I guess this can be phrased more succinctly as: If you need to make yourself look more trustworthy, that probably means you weren't very trustworthy to begin with.

  • You might have a higher chance to forget to renew the certificate 3 years later because, you already forgot it, didn't you?

  • WebProjectWebProject Host Rep, Veteran

    monkeyhostgroup said: Degraded performance, not as secure as the big players?

    No difference, except you are paying for the same root certificate / domain name validated.

  • I think I agree with points made above by other users, that if Let's Encrypt goes, you are a bit screwed because the trust element disappears, so I agree that I would like to see more free providers out there to allow you to very quickly reinstate a new SSL certificate to avoid downtime.

This discussion has been closed.