Most active commenters
  • _betty_(3)

←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 16 comments | 20 Nov 24 06:13 UTC | HN request time: 0.001s | source | bottom
Show context
mrtksn ◴[20 Nov 24 07:49 UTC] No.42191644[source]
Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

replies(5): >>42191676 #>>42192385 #>>42192827 #>>42192905 #>>42193198 #
dachris ◴[20 Nov 24 07:55 UTC] No.42191676[source]
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
replies(7): >>42191711 #>>42191799 #>>42191800 #>>42191829 #>>42191872 #>>42191976 #>>42192618 #
1. mrtksn ◴[20 Nov 24 08:04 UTC] No.42191711[source]
AFAIK there's things like Extended Validation Certificate Verification that used to make the browser address bar look more trustworthy by making it green but I don't know if its still a thing. At least in Safari, I don't see a green padlock anywhere.
replies(7): >>42191763 #>>42191765 #>>42191791 #>>42191856 #>>42191904 #>>42192021 #>>42192314 #
2. Systemmanic ◴[20 Nov 24 08:16 UTC] No.42191763[source]
Chrome and Firefox removed the extra UI stuff for EV certs in 2019:

https://groups.google.com/a/chromium.org/g/security-dev/c/h1...

https://groups.google.com/g/firefox-dev/c/6wAg_PpnlY4

3. sureIy ◴[20 Nov 24 08:16 UTC] No.42191765[source]
Yeah that also stopped being a thing. I'm really happy how Chrome and then other browsers gradually shifted the blame to insecure websites rather than highlighting "secure" ones.

You'll still find people online clamoring EV certificates are worth anything more than $0 but you can ignore them just as well.

4. mrweasel ◴[20 Nov 24 08:21 UTC] No.42191791[source]
I remember our boss really wanted that green bar, so we got an extend validation certificate. What we had failed to realise is that they would only be issued to the actual legal name of your company, but not any other names you may be operating under. We had a B2C webshop, where we wanted the ev-cert, but because the B2C side of the business wasn't it's own legal entity, the cert we go issued was for our B2B name, which none of our customer customers knew and it looked like a scam.

The only good thing dealing with certificate resellers at the time was that they where really flexible in a lot of ways. We got our EV cert refunded, or "store credit" and used the money to buy normal certificates.

5. bux93 ◴[20 Nov 24 08:34 UTC] No.42191856[source]
Chrome 77 removed the prominent green EV badge. "A series of academic research in the 2000s studied the EV UI in lab and survey settings, and found that the EV UI was not protecting against phishing attacks as intended. The Chrome Security UX team recently published a study that updated these findings with a large-scale field experiment, as well as a series of survey experiments." [1]

Extended Validation can still play a role in a corporate's IT control framework; the extended validation is essentially a check-of-paperwork that then doesn't need to be performed by your own auditor. Some EV certificates also come with some (probably completely useless) liability insurance.

[1] https://chromium.googlesource.com/chromium/src/%2B/HEAD/docs...

replies(1): >>42191981 #
6. Propelloni ◴[20 Nov 24 08:40 UTC] No.42191904[source]
They are still there, but most browsers don't do anything with it anymore since 2019, when Firefox and Chrome stopped caring.

There are some scenarios where you still have to employ EV certificates, e.g. code signing.

7. duskwuff ◴[20 Nov 24 08:55 UTC] No.42191981[source]
> Some EV certificates also come with some (probably completely useless) liability insurance.

Warranties / insurance on SSL certificates typically only pay out if a certificate is issued improperly, often in conjunction with other conditions like a financial loss directly resulting from the misissuance. Realistically, any screwup serious enough to result in that warranty paying out would also result in the CA being abruptly removed from browser root certificate programs.

replies(2): >>42192204 #>>42197508 #
8. _betty_ ◴[20 Nov 24 09:02 UTC] No.42192021[source]
they were also pretty bad for performance due to the extra lookup (and reduction in caching)
replies(1): >>42192187 #
9. account42 ◴[20 Nov 24 09:31 UTC] No.42192187[source]
What extra lookup. AFAIU they are just like normal certificates but with a "customer paid extra" flag.
replies(2): >>42192216 #>>42192233 #
10. ◴[20 Nov 24 09:34 UTC] No.42192204{3}[source]
11. _betty_ ◴[20 Nov 24 09:37 UTC] No.42192216{3}[source]
they normally require a revocation lookup on the spot, and iirc there was differences in if they could or how stapling worked.
replies(1): >>42192599 #
12. _betty_ ◴[20 Nov 24 09:39 UTC] No.42192233{3}[source]
https://simonhearne.com/2020/drop-ev-certs/
13. tannhaeuser ◴[20 Nov 24 09:55 UTC] No.42192314[source]
Huh? EV certificates are actually certifying you're the (juristical) person you're claiming to be based on ID and trade register checks, unlike Let's Encrypt certificates which only certify you're in possession of a domain. Isn't using EV certificates legally required for e-commerce web sites at least in parts of the world, and also obligatory for rolling out as MasterCard/Visa merchant by their anti-fraud requirements along with vulnerability checks and CI/site update processes being in place?
replies(1): >>42192466 #
14. khuey ◴[20 Nov 24 10:17 UTC] No.42192466[source]
> Isn't using EV certificates legally required for e-commerce web sites at least in parts of the world

Not in any jurisdiction I'm aware of, though it's a big world so it wouldn't shock me if some small corner of it has bad laws.

> and also obligatory for rolling out as MasterCard/Visa merchant by their anti-fraud requirements

PCI DSS does not require EV certificates.

15. account42 ◴[20 Nov 24 10:38 UTC] No.42192599{4}[source]
Interesting. Sounds like a cost that is entirely reasonable for use cases like online banking though.
16. uid65534 ◴[20 Nov 24 19:57 UTC] No.42197508{3}[source]
Ah yes, I too remember when COMODO was ripped out of browsers in 2011 when it came to light they gave sign-anything rights to a bunch of resellers, one of whom was hacked. And then again in 2016.

And another fun one unrelated to signing was when they tried to trademark "Let's Encrypt" in 2015.

But yes, it is not a common issue and effort would be better focused on improving site security in other ways. (unlike the rest of my comment, this line isn't sarcasm.)