New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The difference is in your wallet
Wut?
I personally use free Cloudflare origin DV certificates, they can renew in 15 years.
I have a Pelican Panel that uses Let's Encrypt, but the certificate update is automagic in the panel.
Cloudflare orgin certificate requires you to have your site under their proxy
Some people for some reason or in order for service to work probably disable proxing
Practically, DV/OV/EV is a thing of the past decade. In 2025, if not sure, always use Let's Encrypt or similar providers.
Also keep in mind the max renewal date will be changed from ~1y (or 398d) to only 47 days coming soon
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
SSL certificate authorities aim to increase their profits, but the downside is that it has become more expensive for regular users to buy SSL certificates.
There’s a tool called certbot that helps manage Let’s Encrypt SSL certificates. It’s available directly from the Ubuntu apt repositories:
It handles downloading the certificates, updating your web server config to use them, and renewing them automatically.
I used to buy cheap Comodo/Sectigo certificates from ssls.com, but with Let’s Encrypt and certbot, I don’t see any reason to do that anymore.
Yeah, make your cert ot install in corpo env and you are fired. Free ssl are for those who can’t afford paid ones. Does the gimmick woth insurance of ssl is still a thing?
I use Let's Encrypt because it provides free, automated, and open-source SSL certificates, making it an excellent choice for securing websites without additional costs. While DV, OV, and EV SSLs offer different levels of validation, Let's Encrypt is sufficient for most use cases, including securing personal and business websites. For me, it’s a practical and reliable solution that ensures encrypted connections without the complexities of purchasing and managing paid SSLs.
Compared to paid SSLs, Let's Encrypt offers basic Domain Validation (DV), which is enough for encryption but does not provide additional verification of the website’s legitimacy. Paid SSLs, like Organizational Validation (OV) and Extended Validation (EV), require verification of the business or organization behind the website, making them more trustworthy for e-commerce or financial transactions. Paid certificates also last longer, usually up to three years, while Let's Encrypt requires renewal every 90 days. Additionally, EV SSLs include warranties and security guarantees that free certificates do not provide, making them better suited for businesses that handle sensitive data.
just imho
Yeah indeed that makes it a pain for companies who have to buy SSL certs having to come out with some automation renew the cert monthly in the near future. Before this they just have to do this once a year...
Do you really think a $4 PositiveSSL certificate offers better protection - or impresses anyone? SSL is a protocol.
That said, if you’re in a corporate environment with established policies, then of course it makes sense to follow them.
I did and do, for business purpose (only); for private sites and the like I use letsencrap "certifcates". Simple reason: why do we need TLS everywhere, even on public anyway, no sensible secret info, no exchange of money stuff? Because of the brain-dead "TLS everywhere!!!" crowd - no other reason. So, for that stupid pro-forma game letsencrap is bloody good enough.
And of bloody course hardly anyone wonders why suddenly they began to throw free "certificates" at anyone who didn't run away fast enough ... Let me put it like this: if I were a regime and wanted to have nearly everyone and their dogs at the balls, I'd throw something that used to cost lots of money for free at them + I'd start a sakkurity orgy ("httpS everywhere!!!") and at the same time push the - very few! - browser and engine builders to join the sakkurity orgy and to have their stuff refuse to connect to any site that didn't join the sakkurity orgy.
And then, once everybody joined my "sakkurity for everybody" games, I'd begin to tighten the the noose, e.g. by forcing them to more frequently provide info and renew their sakkurity games membership.
Oh, and: thanks, Apple for yet another huge pile of crap! But then, what else was to be expected by them ...
TL;DR do not trust TLS or any of the major players!
(and now feel free to show your obedient membership by ridiculing me and mentioning tinfoil hat" and the like ...)
I was thinking same about years ago, in sense TLS could be just to make sure two entities (client <-> server) having protection connection, why should we have weird trust store for that and ignore any self-signed cerifiticate.
Also kinda didnt make sense cause you just got generated private key from their server (SSL Provider) instead your own side.
Nope, you never get - or at least shouldn't get - a private key from any outside entity, be that a SSL provider, CA, hosting provider, or whatever! NEVER.
YOU - and only you yourself - create private keys ... and in fact public keys as well! All a CA does - and should do - is to "sign" the public key and to certify that it's your domains key.
It's understandable though that this might be misunderstood as from an end-user's perspective 'acme' (and similar tools) seem to automagically do everything, which (mis) leads some to think that they get their keys from letscencrap, which however is not the case; the keys get created locally by acme and then, based on the public key, acme creates and sends a 'certificate request' and finally gets a certificate.
Can you elaborate why TLS, the protocol, is not trustworthy? I get the mistrust in big corpo, but in a protocol?
There is no good reason not to have an encrypted connection between server and client. We have the tech, we can use it.
You have to accept terms to get a cert from letsencrypt and because of that and a missing european representative letsencrypt got blacklisted by our legal department blocking its usage.
So not the free part but being a US entity is problematic.
Seen from that perspective (yours), probably not.
Or wait, how about SSL/TLS being plagued by (at least implementation) problems pretty much from day one? Or how about using TLS for not sensitive, plain Joe public websites is very wasteful and can in fact be used as a DDOS vector? Or how about hundreds of thousand of successful attacks each and every day although pretty much everything on the internet nowadays does use SSL/TLS? Which btw. also is a very major force in misleading people to feel secure when actually they are everything but.
You see, even if one assumed TLS per se to be perfectly secure, that would exclude only one - of many - attack vectors, and not even the most significant one. To make it worse, the "TLS everywhere and you're safe and secure!!!" horde cult also leeds to even sloppier software because "why should I care? Just slap on TLS and, bang, it's safe!".
Plus, evidently, some technology, at least in theory(!) not known to be insecure != that technology is secure.
To provide a (very close by) example: I once (looking at the source code) found a major (as in it'd kill it) but very tiny error in the official code of an AEAD algorithm which was a finalist of an official global competition (and now is widely used).
Plus, very obviously, the NSA has been found multiple times with their dirty fingers in the cookie jar (intentionally weakening algorithms) and fucking the (very willingly bending over) NIST. In fact, I advise to whenever possible avoid NIST "sanctioned" (or de facto enforced) algorithms.
Btw, reading Prof. Bernstein's papers very strongly suggests that the NSA still and currently is playing their dirty games ...
Yep, that is another factor in major parts of the world.
Thank you ChatGPT slop.
There was a time when I was new to this website hosting thing, I notice website with https://URL looks cool on Opera Mini(Android 4 time) because it shows https:// + lock icon in address bar. For normal website, there was only domain/path, not http://. So I bought comodo(?) DV SSL for my website just to look cool.
Now I just use Let's Encrypt. I am currently using https://github.com/gregtwallace/certwarden to issue & some bash script to distribute those certificates to all my idling & few production servers. Instead of issuing a dedicated cert for every subdomain or every server, I just issue a single wildcard certificate.
Long, long time ago those small mom and pop small sites selling handwoven socks from their living room are forced to pay $200-300 for the certs to satisfy their payment gateway requirements. Then letsencrypt came making ssl accessible for everyone no need to pay an arm and leg anymore. Wear your tinfoils however thick you want but those people are the legend.
For a $2.5 I will get a whole year ssl cert protection, so I don't need to open my IP to the whole world and wait to just letsencrypt renew it every 3 months. I feel secure and calm with the first alternative.
There's also DNS validation and another verification method that doesn't require LE to know your server's IP address.
The free SSL from Let's Encrypt is just fine for most used cases.
Large corp tends to use OV SSL (Like the other comment mentioned, the difference is in your wallet)
The only place OV SSL is actually useful is on banking websites, e-commerce websites, etc. Where day to day transactions are common. At least, this is what I feel like.
It looks I miss-out about CSR-stuff, It looks I need learn more bout it.
Where do you get one for $2.50 a year?
At ssls.com it used to be 70% discount occasionally, but now with 63%, $14.75 for 5 years.
I think it’s ignorant to say “public things don’t need SSL.” If you’re downloading a file, let’s say an OS ISO, obviously you don’t want it tampered along the way. You wouldn’t even be able to trust the sha256 hash on the website to verify your ISO because it too could be tampered along the way. I don’t know exactly how common MITM attacks are (other than openly public networks like coffee shop WiFi) but I think it’s short-sighted to say that SSL is only needed to protect passwords and bank accounts.
Now whether you trust the root certificate authority that underpins LE and that the US government won’t be able to backdoor decrypt every LE certificate, those are valid concerns, but most hobbyist websites and mom and pop businesses don’t care much about those. They just want something to encrypt passwords, payment information, and have their content delivered securely.
free windows IV code signing when