Anyone looking to use Let's Encrypt and free to make choices regarding their server may want to check out https://caddyserver.com/ -- it has Let's Encrypt support baked right in.
I've said it before when caddy was last mentioned, but this is how I want Let's Encrypt to work with all web servers. Yes. That includes the big ones like nginx, apache and even IIS.
By default, all that's needed is to turn on ssl and you'll be up and running - including a let's encrypt certificate.
Following this vision is why I believe that let's encrypt limited the validity period of their certs (in addition to some security benefits and much lower OCSP load): Once the integration into clients has proceeded to this level where caddy is showing us it's going to, then even quicker expirations would become feasible - heck even as low as a week or so.
So, while I'm not planning on using caddy any time soon (I don't see a benefit to switching away from nginx right now), I applaud caddy for showing everyone how this should be done.
A huge thank you to the author. This goes to show how very important UX is even for backend-y stuff.
Wow, this is awesome. I had been assuming letsencrypt supported only Unixy operating systems. Most of the web hosts I care about necessarily run Windows, so I thought letsencrypt was out of reach. I wonder how they did this.
Caddy sounds great but I'm a bit worried by the fact it does not offer repositories for major Linux distributions. Shouldn't a component that important for public facing servers be included in standard software updating processes?
If you were like me and holding out on Let's Encrypt until Windows XP is supported (even Chrome is still broken on XP) it looks like a date of March 22nd has been set for "getting new cross-signatures from IdenTrust which work on Windows XP."
I haven't met many of these people to ask them, but I know they still exist because of their user agent containing "Windows NT 5.1" and I know for sure they aren't all bots, and many of them even live in Southern California. I suspect these are the people who would be most confused by websites failing to load.
The cost of providing support then is much greater than the cost of a Comodo certificate.
I can sort of understand a handful of rather lazy and/or incompetent users insisting on continuing to use a 15-year-old OS, which was replaced a decade ago, and has not been supported by the vendor for 2 years.
Let's Encrypt makes an effort not to use "ssl" anywhere on their site when they really mean tls or https. I'd also hope that no one helps get ssl anywhere given the vulnerabilities that come with it.
Can you explain me a little, I am not sure I understand all the points. I can't say I follow everything that is happening in crypto world, I just know I could use free ssl cert for small sites and I have one personal one that I was able to 'secure' with Let's Encrypt cert.
As someone said, if it could work, just by saying SSL yes, it would help a lot.
Technically, SSL is the name of the older protocol that TLS replaced. TLS builds upon SSL so that it's more secure. Unfortunately, SSL is still the ubiquitous term, it seems, but we really should start saying TLS now so as not to confuse unsuspecting site owners / sysadmins.
SSL is a dead protocol that has major vulnerabilities. It no longer has support and anyone still using it should really move on. TLS is the recommended replacement protocol that is still secure. HTTPS can be thought of as secure http, regardless of protocol.
It will have to. Where it will add value is making https available at the fingertips of website creators who don't really know what it does and have no idea of how to set it up. They are the one responsible for the current amount of unencrypted traffic.
Making free certificates available to hackernews readers who are already convinced of the need for encryption, are tech savy enough to implement it themselves following best practices isn't helping much to encrease encrypted traffic. These users would have used a commercial certificate anyway.
Which is why it is crucial that the client be integrated by default in the web server (apache, IIS, etc) for the target audience to use it without having to understand how it works.
Which isn't what's happening here. What's being transferred to the EFF is not the whole service, but one specific piece of client software which interacts with the service.
Great to see that they are actively aware of CA monopolization, and taking steps to avoid becoming one themselves.