←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 3 comments | 20 Nov 24 06:13 UTC | HN request time: 0.525s | source
Show context
mrtksn ◴[20 Nov 24 07:49 UTC] No.42191644[source]
Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

replies(5): >>42191676 #>>42192385 #>>42192827 #>>42192905 #>>42193198 #
dachris ◴[20 Nov 24 07:55 UTC] No.42191676[source]
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
replies(7): >>42191711 #>>42191799 #>>42191800 #>>42191829 #>>42191872 #>>42191976 #>>42192618 #
mrtksn ◴[20 Nov 24 08:04 UTC] No.42191711[source]
AFAIK there's things like Extended Validation Certificate Verification that used to make the browser address bar look more trustworthy by making it green but I don't know if its still a thing. At least in Safari, I don't see a green padlock anywhere.
replies(7): >>42191763 #>>42191765 #>>42191791 #>>42191856 #>>42191904 #>>42192021 #>>42192314 #
bux93 ◴[20 Nov 24 08:34 UTC] No.42191856[source]
Chrome 77 removed the prominent green EV badge. "A series of academic research in the 2000s studied the EV UI in lab and survey settings, and found that the EV UI was not protecting against phishing attacks as intended. The Chrome Security UX team recently published a study that updated these findings with a large-scale field experiment, as well as a series of survey experiments." [1]

Extended Validation can still play a role in a corporate's IT control framework; the extended validation is essentially a check-of-paperwork that then doesn't need to be performed by your own auditor. Some EV certificates also come with some (probably completely useless) liability insurance.

[1] https://chromium.googlesource.com/chromium/src/%2B/HEAD/docs...

replies(1): >>42191981 #
1. duskwuff ◴[20 Nov 24 08:55 UTC] No.42191981[source]
> Some EV certificates also come with some (probably completely useless) liability insurance.

Warranties / insurance on SSL certificates typically only pay out if a certificate is issued improperly, often in conjunction with other conditions like a financial loss directly resulting from the misissuance. Realistically, any screwup serious enough to result in that warranty paying out would also result in the CA being abruptly removed from browser root certificate programs.

replies(2): >>42192204 #>>42197508 #
2. ◴[20 Nov 24 09:34 UTC] No.42192204[source]
3. uid65534 ◴[20 Nov 24 19:57 UTC] No.42197508[source]
Ah yes, I too remember when COMODO was ripped out of browsers in 2011 when it came to light they gave sign-anything rights to a bunch of resellers, one of whom was hacked. And then again in 2016.

And another fun one unrelated to signing was when they tried to trademark "Let's Encrypt" in 2015.

But yes, it is not a common issue and effort would be better focused on improving site security in other ways. (unlike the rest of my comment, this line isn't sarcasm.)