I would. That's the same price as a year of hosting an entire VPS instance with 1TB bandwidth a month, 40GB SSD storage, and 512MB of RAM. And for what? A completely automated process that loads a page on your site, verifies a META tag is present, runs an openssl command, and prints the output to a webpage for you.
So for that $50, you can double all the specs on your server, or get a little green lock in your URL bar. And don't forget, we're not all in the US. I know a guy in Venezuela that doesn't have $50USD to spend on an SSL certificate.
I understand it costs money to run a CA. But if Let's Encrypt can run one for free, then surely so can Google, if they're so gung-ho on 100% of the web being over HTTPS. If you want that to be a reality too, you need to back free wildcard certificates. Otherwise you'll never be able to deprecate HTTP.
You're absolutely right. I'm surprised nobody here seems to care. I guess HN is popular with techies who have root access on their servers, or people who run commercial sites.
What happened to the hobby / non profit apps, blogs and forums that fill 90% of the web and my bookmarks? All of them have a login form somewhere. Tons of people already use secondary emails or throwaway emails, but these site owners now have to pay for SSL or have to upgrade their shared hosting to "business" or the like to get SSL included, or pay extra fees to install SSL.
If all they do is look for a password field that means pretty much any phpBB or wordpress blog out there is defacto "insecure" and the owners of those sites now need to find a way to get SSL on their (most likely)shared hosting. Mine is not free at all, it requires "installation" fees, plus "dedicated Ip" so in the end it cost near as much as just buying their SSL package.
At this point though it's very unclear how Google will find those "insecure" password fields. Does it honer the no-follow? Because last time I heard it's not useful to get a login form page indexed anyway.
I'm going to get skewered alive for saying this, and I do believe their intentions were noble, but I honestly think Let's Encrypt has done a lot more harm than good.
It's completely deflated the opposition to the CA racket, but not given a comprehensive alternative.
There are servers that can't run certbot for a variety of reasons (including administrator policies that people running the webservers can't control.) The 90-day expiration is the most arduous of any CAs out there by far. Not only are there no wildcards, but there are strict limits on the number of subdomains you can register per week.
And if you don't like it ... too bad. There are zero free alternatives.
Most of us are hackers and can work around these limitations, but not everyone can. You can't expect most people to set up certbot, let alone write their own version. You can't expect them to build some system that automatically batches and registers new subdomains and maintains all those certificates.
> I guess HN is popular with techies who have root access on their servers
That's a lot of it as well. I'd go so far as to say the majority of internet sites out there (by number, not by traffic volume) are little commodity hosting firms that give you a web GUI version of an FTP client, and maybe if you're lucky charge you $10-20 a month for SSL as a checkbox feature in the payment options.
> At this point though it's very unclear how Google will find those "insecure" password fields.
It will probably just look for <input type=password> and if that exists, show the "Not Secure" message.
If you're running a commercial entity and $50/year is a problem for you, then I'd suggest that your business may have its challenges. Obviously it is (in most cases) possible to automate the cert creation process using let's encrypt for free, so it's a trade-off on whether the time it takes to do that is worth more or less than the $50 it'd cost to purchase a wildcard cert.
As to the compute power you can buy for that, it could be that says more about the cheapness of compute power than it does about the expense of SSL certs.
As to Let's encrypt running for free, well the post I was referring to indicated they didn't want to go that route, also you do know they're actively soliciting donations at the moment because, guess what, you can't run a CA for free...
Making the web open only to commercial entities is a huge problem by itself. I definitely would not want to make that a premise or assumption to participate in the Internet as an equal player.
I'm not. I'm running byuu.org without any ads, and without selling any products. I used to spend about 60 hours a week coding, nowadays it's more like 20 hours a week, and recoup only the occasional donation or licensing agreement (they reach out to me) for my software. If you were to weigh it against the hours I've put into things, I'm earning about $0.60 an hour for my work. And if you consider my own personal expenses on my projects, I'm at about -$30,000 in total. But I have fun doing it (occasional trolling aside), so it's worth the cost.
I wasn't willing to accept the Let's Encrypt limitations, and so I paid for a three-year AlphaSSL wildcard certificate for ... I believe $132 or so.
> As to the compute power you can buy for that, it could be that says more about the cheapness of compute power than it does about the expense of SSL certs.
Not really. There is absolutely no reason it should cost $5 to run openssl with a SAN of "www.byuu.org" and $50 to run openssl with a SAN of "*.byuu.org" -- the verification process is 100% identical for both.
That is 100% pure, unadulterated greed. They charge that rate because they can.
> because, guess what, you can't run a CA for free...
I know, the auditing fees are obscenely expensive and required every six months.
Google could afford it if they want the web to be 100% HTTPS. It wouldn't even be a drop in the bucket for them. It'd be a fraction of a sliver of a drop.
So for that $50, you can double all the specs on your server, or get a little green lock in your URL bar. And don't forget, we're not all in the US. I know a guy in Venezuela that doesn't have $50USD to spend on an SSL certificate.
I understand it costs money to run a CA. But if Let's Encrypt can run one for free, then surely so can Google, if they're so gung-ho on 100% of the web being over HTTPS. If you want that to be a reality too, you need to back free wildcard certificates. Otherwise you'll never be able to deprecate HTTP.