←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
489 points gslin | 2 comments | 20 Nov 24 06:13 UTC | HN request time: 0.433s | source
Show context
mrtksn ◴[20 Nov 24 07:49 UTC] No.42191644[source]
Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

replies(5): >>42191676 #>>42192385 #>>42192827 #>>42192905 #>>42193198 #
dachris ◴[20 Nov 24 07:55 UTC] No.42191676[source]
There's still enough people out there who don't know better, manually (or auto-renew) purchasing new a certificate every year from their hosting provider like it's 2013.
replies(7): >>42191711 #>>42191799 #>>42191800 #>>42191829 #>>42191872 #>>42191976 #>>42192618 #
karel-3d ◴[20 Nov 24 08:54 UTC] No.42191976[source]
I have dealt with banking environment when they required SSL with at least 1-year validity on the callback API URL. Which excluded Let's Encrypt.

We were looking for a SSL provider that had > 1 year old certs AND supported ACME... for some reason we ended up with SSL.com that did support ACME for longer lasting certs; however, there was some minor incompatibilities in how kubernetes cert-manager implemented ACME and how SSL.com implemented ACME; we ended up debugging SSL.com ACME protocol implementation.

Fun. We should have just clicked once per 3 years, better than debugging third parties APIs.

No, I don't remember the details and they are all lost in my old work emails.

(Nowadays I think zerossl.com also supports ACME for >1 year certs? but they did not back then. edit: no they still don't, it's just SSL.com I think)

replies(3): >>42192077 #>>42192133 #>>42197885 #
JoshTriplett ◴[20 Nov 24 09:12 UTC] No.42192077[source]
> I have dealt with banking environment when they required SSL with at least 1-year validity on the callback API URL. Which excluded Let's Encrypt.

I wonder if this would be an opportunity for revenue for Let's Encrypt? "We do 90-day automated-renewal certificates for free for everyone. If you're in an unusual environment where you need certificates with longer validity, we offer paid services you can use."

replies(3): >>42192215 #>>42192496 #>>42193166 #
account42 ◴[20 Nov 24 09:37 UTC] No.42192215[source]
Probably better to keep LE / ISRG completely non-profit. Adding a profit motive has too big of a chance to end with actually security-relevant features being gated behind payment eventually.
replies(1): >>42192523 #
JoshTriplett ◴[20 Nov 24 10:26 UTC] No.42192523[source]
It's less about the profit motive, and more about removing the remaining incentives to stay outside the ACME ecosystem. The funding would be to provide additional infrastructure (e.g. revocation servers for longer-lasting certificates), and to fund new such efforts.
replies(1): >>42192587 #
1. account42 ◴[20 Nov 24 10:36 UTC] No.42192587[source]
But once there is an income stream from issuing certificates there is an incentive to increase it which will quickly find itself at odds with the primary missions of providing secure connections to as many people as possible. Making infrastructure depend on that income stream only increases that incentive. Perhaps you trust the ISRG to resist the temptaton but as far as I know they are run by humans.
replies(1): >>42193063 #
2. JoshTriplett ◴[20 Nov 24 11:57 UTC] No.42193063[source]
There are many, many opportunities in both the business and non-profit world to make more money by screwing your customers/users, and despite that, it does not always happen. Businesses and non-profits are built on the trust of users (or built in spite of the utter lack of it, e.g. Comcast). I don't think they should be afraid to provide things users need. It is, in fact, possible to choose and keep choosing to maintain the trust of your users.

I think there's still incentive alignment here. Getting people moved from the "purchase 1 year certificate" world (which is apparently still required in some financial contexts) into the ACME-based world provides a path for making a regulatory argument that it'd be easy for such entities to switch over to shorter-lived certificates because the ACME infrastructure is right there.