←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 2 comments | 20 Nov 24 06:13 UTC | HN request time: 0.466s | source
Show context
mrtksn ◴[20 Nov 24 07:49 UTC] No.42191644[source]
Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

replies(5): >>42191676 #>>42192385 #>>42192827 #>>42192905 #>>42193198 #
dachris ◴[20 Nov 24 07:55 UTC] No.42191676[source]
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
replies(7): >>42191711 #>>42191799 #>>42191800 #>>42191829 #>>42191872 #>>42191976 #>>42192618 #
mrtksn ◴[20 Nov 24 08:04 UTC] No.42191711[source]
AFAIK there's things like Extended Validation Certificate Verification that used to make the browser address bar look more trustworthy by making it green but I don't know if its still a thing. At least in Safari, I don't see a green padlock anywhere.
replies(7): >>42191763 #>>42191765 #>>42191791 #>>42191856 #>>42191904 #>>42192021 #>>42192314 #
1. tannhaeuser ◴[20 Nov 24 09:55 UTC] No.42192314[source]
Huh? EV certificates are actually certifying you're the (juristical) person you're claiming to be based on ID and trade register checks, unlike Let's Encrypt certificates which only certify you're in possession of a domain. Isn't using EV certificates legally required for e-commerce web sites at least in parts of the world, and also obligatory for rolling out as MasterCard/Visa merchant by their anti-fraud requirements along with vulnerability checks and CI/site update processes being in place?
replies(1): >>42192466 #
2. khuey ◴[20 Nov 24 10:17 UTC] No.42192466[source]
> Isn't using EV certificates legally required for e-commerce web sites at least in parts of the world

Not in any jurisdiction I'm aware of, though it's a big world so it wouldn't shock me if some small corner of it has bad laws.

> and also obligatory for rolling out as MasterCard/Visa merchant by their anti-fraud requirements

PCI DSS does not require EV certificates.