←back to thread

Let's Encrypt is 10 years old now

(letsencrypt.org)
512 points gslin | 1 comments | 20 Nov 24 06:13 UTC | HN request time: 0.322s | source
Show context
pests ◴[20 Nov 24 07:45 UTC] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[20 Nov 24 07:52 UTC] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
michaelt ◴[20 Nov 24 11:02 UTC] No.42192733[source]
I am 99% in favour of widespread use of TLS - but the reality is it means the web only works at the whim of the CA/Browser Forum. And some members of the forum are very eager to flex their authority.

If I do everything perfectly, but the CA I used makes some trivial error which, in the case of my certificate, has no real-world security impact? They can send me an e-mail at 6:40 PM telling me they're revoking my certificate at 2:30 PM the next day. Just what you want to find in your inbox when you get in the next day. I hope you weren't into testing, or staged rollouts, or agreeing deployment windows with your users - you'd better YOLO that change into production without any of that.

Even though it wasn't your mistake, and there's no suggestion you shouldn't have the certificate you have.

As far as the CA/B Forum is concerned, safety-critical systems that can't YOLO changes straight into production with minimal testing and only a few hours of notice don't belong on their PKI infrastructure. You'd better jump to it and fix their mistake right now.

replies(2): >>42192813 #>>42193195 #
1. hehehheh ◴[20 Nov 24 12:14 UTC] No.42193195[source]
Hopefully you terminate TLS far away from your app code so rolling that out to prod is a non issue. But I get your point!