"Let’s Encrypt is currently used by more than 280 million websites,
issuing between two and three million certificates per day. I often
think about how we got here, looking for some nugget of wisdom that
might be useful to others."
I guess it's keep trying. Keep patiently explaining, educating and
building.
I remember people saying "You'll never be able to topple the certs
racket" - and here we are... in a age where every day I read about how
we'll 'never' be able to break the big-tech stranglehold and build a
distributed network owned by the people, 'never' have privacy and real
end-to-end encryption because 'nobody cares', 'never' have practical
p2p digital currencies of our own, and where we'll never have open,
verifiable hardware. Keep believing.
Let's Encrypt was the reason I moved 8 websites to self-hosted nginx servers, because my old hoster wanted 10 Euros a month (!) per SSL certificate, despite charging a lot for that slow apache webspace already.
Even ignoring the money moving away from there was worth it. There is so much more control over my software on my own instances. I can do actual backups for free. Of course it is more work and needs more attention, but not a lot more
What alternatives are there to get cheap easy SSL certificates?
Let's Encrypt has no competition because Let's Encrypt needs no competition: it works, it's cheap, and competitors can't really provide any advantages for its target audience (mostly people who just want a cert).
The major cloud providers have options for free certs: Amazon and Google run CAs, and Azure has an option for free certs from Digicert. Amazon and Azure both work with their services. Google just announced they’re supporting the same ACME protocol that Lets Encrypt uses too!
It is somewhat important for Let’s Encrypt to have competition: For reliability it is good to have alternatives with no shared infrastructure. If Let’s Encrypt ever becomes untrustworthy (and as a LE employee, I hope that never happens!) there must be alternatives so the root programs have the option to remove the Let’s Encrypt root. And there’s many geopolitical concerns too.
It’s not even a competition. Every customer increases costs to provide the service. More people handling the load of signing keys means less cost for a public service. It’s a shared ecosystem of trust. Yes, you can make the argument that too many CAs is untrustworthy, I would agree. But there is a reliability and availability argument, both security objectives, to having alternatives. There is probably an optimal point between redundancy and too many cooks.
> Let's Encrypt has no competition because Let's Encrypt needs no competition
I love Let's Encrypt! Truly good work for the benefit of humanity.
Still. Everything needs competition. Any single organization amassing too much influence is always a bad thing, no matter how benevolent the organization.
Some people care in the intelligence community ;)
It's better to have LetsEncrypt and CloudFlare in the loop to protect national interests and fight against maliciouses actors.
The main thing I'm thankful for Let's Encrypt for is breaking the idea that an SSL-secured website is somehow magically less likely to be phishing or even anything but claiming it's the data from the domain you connected to, without changes.
Mainly this was propagated by EV cert sellers, but it was all kinda silly.
Let's Encrypt's own community forums get posts every day from people saying, wait, I got scammed/ phished/ whatever on this site, it has your certificate, shouldn't you shut it down? They do have a page to link those enquiries to, explaining the policy (and indeed they even have standard legal briefs because periodically lawyers get the same idea and a court has to be told why that's wrong).
It would be interesting to know if, say, US citizens write to the Department of State saying hey, revoke this guy's passport, I heard he ripped off somebody on Craig's List...
It's frustrating because certificate revocation doesn't even really work, since most browsers don't check for it due to the various performance/privacy issues it causes. (OCSP stapling doesn't help here, because a scammer just won't use it.)
At best Let's Encrypt could revoke the cert and block them from getting a new one, but then the scam site is still good to go for 90 days. I doubt most phishing sites even last that long.
What does work, and relatively quickly, is having the web host shut down the site (basically instant), having the registrar revoke the domain (takes effect as soon as DNS caches start expiring) or adding it to the various phishing site lists used by browsers. (Not sure how often those update, I assume at least daily.)
I hope that the misguided people asking LE to shut down the domain are at least trying to contact the web host, registrar, and the safe browsing list people before hassling the (mostly volunteer) folks on the LE forums.
> Mainly this was propagated by EV cert sellers, but it was all kinda silly.
I feel like it really started back in early(ish) days of online shopping. I remember "never enter your credit card details without looking for the lock icon" being drilled into people.
EV certs definitely took this idea farther, especially as domain-validated certs became more common & cheaper.
That idea is unfortunately alive and well. Many organizations require it, much like they require 90-day password rotation and other questionable security standards.
Some password managers have automation to change passwords, but it's... janky. I think they've manually implemented stuff for some sites (and it works for some sites and managers, not all sites).
From the context I'm going to guess that this isn't a pithy version of a nuanced take on the larger problem here but just your first instinctive reaction. Here's how we got here in two related but distinct elements
A. Why PKIX certificates expire, and why the policy in the Web PKI today is that they must expire in about a year (maximum 398 days)
The certificate binds a public key (and thus the associated private key which only one entity should have) to one or more names, typically DNS names. The issuing certificate authority says you should trust that this name is controlled by whoever has this key.
The CA confirmed (today, using one of more of the Ten Blessed Methods) that this is true when they issued it, or in some cases, within some specified period up to that point. But just because it was true then, doesn't mean it's true now. As time passes our confidence in this should reasonably wane.
Historically these certificates lasted 5 years or even more (Chrome assumes that certificates which pre-date formal policy expired after no more than 10 years). That's a long time, it's long enough for a domain to be registered for a legitimate purpose, used for a while with a certificate, given up and not renewed, a new owner takes the domain, they sell it after a while, and their buyer still has to worry that the first certificate from years ago is still valid and might be out there. Not great. How many domains do you control whose provenance you're sure of for at least five years ?
Now, in principle a CA has options to explicitly revoke a certificate before it expires. The Online Certificate Status Protocol is the most modern of them, but OCSP is not enforced universally and even where it's enabled browsers will typically give up if they can't get a Yes/No answer quickly. So this is why OCSP has been described as a "seat belt that snaps when you crash".
As a result we do not have much trust in OCSP. Shorter expiry dates mean that the information in the certificate was verified more recently, which means it's much more likely that it's still relevant to you at the point where you trust it.
The maximum expiry also sets an effective best agility for any security changes that are short of do-or-die. Something like SHA-1 deprecation for example, needed to take several years because it was impossible to go much faster without breaking a lot of important stuff that had 39 month certificates. Today you could reasonably imagine saying you've got an important but not do-or-die change, and have it done by say August/September 2023.
And agility leads us into...
B. Why Let's Encrypt certificates expire in just 90 days.
From the outset the primary purpose of Let's Encrypt is to encourage automation. The reason the certificates are $0 isn't just because they're nice, it's because machines don't have wallets. If the certificate costs $1 then your Caddy server can't get one without giving it your credit card details. Would you do that? Maybe, but it's more friction.
Automation is one of those things that even if it's easy, outside of a new nerds like me, will get rationalised as low priority. The certificates expire in 5 years? Eh, we'll sort it out when it happens, no hurry. Three years? Eh, I don't think we even have a diary for three years out, I'm sure I'll remember. 825 days? Still not sure we have a calendar for stuff like that, I'll put it on the TODO list for Jim and then when Jim leaves for a senior job elsewhere in 18 months it's forgotten.
Ninety days means that way more people get annoyed and actually automate it and when they do reliability shoots up, because machines are boringly reliable. This is true at scale (at work software called "Cortex" looks after this problem, it used to flag all the manual renewals for human attention, and guess what they would still not happen every time but now it just automatically renews all the Let's Encrypt certificates in a timely fashion) but also in people's home setups like the Caddy on this PC which just exists to emit 40x messages.
Now, one of the things that isn't said here is that although certificates should be renewed frequently because of the revocation hole, you don't need to rotate keys every 90 days if that doesn't seem appropriate. What is being renewed is the CA's assertion that this name corresponds to this key.
Certbot will cheerfully re-use a CSR with the same exact keys in it, and same names wanted, over, and over, and over again unless there's a problem with the keys or you need to change the list of names or whatever, you can do this indefinitely.
God bless Let’s Encrypt. I used to tell my clients they need to cough up $100+/year for a cert and jump through a bunch of hoops to get it working. Now it’s built into the UI of many of the control panels I use and I simply click a button. The pre LE days were the dark ages.
Lets encrypt is a true marvel that blessed the world with easy quick automatable webpki and identity. The world is exponentially more private and secure from their actions. One of the most critical public services in the world.
They got cross-signed by IdenTrust, which as I understand it were/are primarily selling EV certificates to financial institutions (which Let's Encrypt doesn't really compete with), rather than DV certificates (like most CAs out there do, including LE).
These days they are trusted directly by most browsers and OSes as the sibling comments mention, but the IdenTrust cross-signature was vital for bootstrapping and is still used for some older systems.
I applaud the Let's Encrypt founders, past and current team for solving the automation problem that's plagued the SSL/TLS industry.
The yang to that ying is a lack trust. I have zero trust in a site owner using LE certs. Domain vetting only means control of the domain ... everything inside that beautifully encrypted traffic can be insightful, helpful or script kiddies scamming the vulnerable. If one finds the scam, LE shrugs, "not our problem bruh. We just issue certs to those who control the domain."
They single handedly reduced the price of entry for douchebag asshats ability to pretend someone they are not and harm a non-technical populace.
I think history proved fairly convincingly that people would still get scammed with the old system. Given that, I'll take encrypted traffic almost universally across the internet and scams still being a thing over mostly unencrypted traffic any day.
I wish this statement to be true "... scams still being a thing over mostly unencrypted traffic any day." Sadly this falls in a similar category of domain validation.
TLS or SSL never meant that kind of safety in the first place. Even before LE, there was no guarantee that HTTPS means it's not a scam, and the PKI system has never been meant to guarantee that anyway! Let's Encrypt didn't change anything here, and they're doing exactly what they or any other CA is supposed to do.
I guess it's keep trying. Keep patiently explaining, educating and building.
I remember people saying "You'll never be able to topple the certs racket" - and here we are... in a age where every day I read about how we'll 'never' be able to break the big-tech stranglehold and build a distributed network owned by the people, 'never' have privacy and real end-to-end encryption because 'nobody cares', 'never' have practical p2p digital currencies of our own, and where we'll never have open, verifiable hardware. Keep believing.