
Let’s Encrypt 2016 in Review - dankohn1
https://letsencrypt.org/2017/01/06/le-2016-in-review.html
======
beeker87
Just want to say, I'm not affiliated with LE, but I think it makes a lot of
sense to donate to them if you use their services regularly.

From my own use case, integrating TLS for my site via LE and the autocert
package in Go has been seamless. It's completely free (if you want it to be),
and it looks like I won't have to worry about renewing certs anymore. The
service LE is providing is amazing. Just thinking of the millions of dollars
they're collectively saving everyone, yearly, is pretty crazy.

If anyone at LE reads this, thank you for your work!

~~~
gog
Which Go package do you use?

~~~
zachgersh
You can probably get pretty far with the package written by Russ Cox:

[https://github.com/rsc/letsencrypt](https://github.com/rsc/letsencrypt)

~~~
sztanpet
No, that is a bad idea, see:
[https://github.com/rsc/letsencrypt/issues/15#issuecomment-25...](https://github.com/rsc/letsencrypt/issues/15#issuecomment-252427783)

------
Klathmon
It sounds like everything is running fantastically for them, and I'm really
glad.

LE has saved us from spending many man hours of time updating certificates
across all dev, staging, and live machines across all of our servers every
year (which just so happens to be almost exactly the amount of time needed to
forget some of the details of what needs to be done...).

But all that being said, when are we going to see a competitor pop up? Clearly
what they are doing is working, so when are we gonna see some others attempt
to do this? Having all your eggs in one basket is never a good thing in any
part of life (no matter how perfect that basket is).

Having more than one "Let' Encrypt" would at the very least spread out some of
the risk, and might even enable them to specialize a bit more (perhaps the
competitor could target the issue of wildcard certs, or be somehow tailored
for the use case of needing thousands of subdomains).

Has there been anyone else trying this?

~~~
mhurron
LE arose from a EFF/Mozilla effort to get encryption everywhere, an aim that
obviously is close to the EFFs mission.

What would be the motivation for a competitor?

~~~
stonogo
Wildcard certificates, long-life server certs, and signed client certificates.
There's a lot of other stuff that LE doesn't handle, too.

I don't think 'competitor' is the right word here -- maybe 'second basket so
all our eggs aren't in one'.

~~~
pfg
I agree with the eggs/basket argument, though I suppose there's an argument to
be made about a number of CAs being essentially too big to fail already, so
what's one more?

Regarding client certificates: There aren't really many good reasons to use
publicly-trusted certificates for client authentication, but if you insist,
you can use Let's Encrypt for that. The certificates do have the id-kp-
ClientAuth EKU.

~~~
stonogo
I think it would be nice to move toward having a lot of medium-sized nonprofit
CAs instead of a handful of crappy commercial ones, which is the current
situation.

"Too big to fail" is _the_ problem with the current CA system, and today's
well-run TBTFCA is tomorrow's global security crisis.

~~~
ethbro
When I think "mission critical audited security practices", non-profits don't
exactly come to mind.

~~~
stonogo
Oh, but Comodo does? Good luck.

~~~
ethbro
A small sample does not generalize to a trend.

------
lunaru
Let's Encrypt + widespread SNI adoption is making it dead easy for SaaS
companies like ours to host customer content on customer chosen domains. So
their existence doesn't just help the technically proficient -- the "long
tail" of websites published through various platforms will start seeing HTTPS
as a default. And that's very much a good thing. For example, there should be
no reason for publication platforms (like say Medium to pick on an example) to
have such complicated custom domain + SSL configurations in the future.

The next step I'd like to see is all the $5 shared hosts supporting HTTPS by
default via something like Let's Encrypt. There's really no excuse anymore.

BTW, shameless plug: We've found this process so easy that we've spun a side
project out of our main SaaS project called clearalias.com. It's basically a
Let's Encrypt proxy that makes it even easier to publish customer content via
custom domains secured with HTTPS.

~~~
dylz
They already do; cPanel supports native LE
[https://documentation.cpanel.net/display/CKB/The+Let's+Encry...](https://documentation.cpanel.net/display/CKB/The+Let's+Encrypt+Plugin)

~~~
phit_
so does plesk!

[https://www.plesk.com/blog/lets-encrypt-
plesk/](https://www.plesk.com/blog/lets-encrypt-plesk/)

[https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0...](https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-
letsencrypt)

------
sofaofthedamned
Love LE. I've got people who didn't even know about TLS to use it as a matter
of course, they now see it as a badge of honour to pass the ssllabs tests with
an A+. They've changed the internet for the better.

~~~
serge2k
I got an F.

I should probably update things.

~~~
Sohcahtoa82
How the hell did you get an F? Do you not have SSL at all?

~~~
micaeked
I ran into something similar. In my case, it was due to nginx running with an
old (vulnerable) version of openssl.

------
spiderfarmer
The fact that these certificates are free and the fact that it's so easy to
use has enabled me to move almost all of my websites to https. A project like
this really is moving the web forward.

------
nickpp
Honest question: is there a catch?

Why do all the other CAs cost so much and take so long when the actual cert is
generated in seconds?

Isn't that how it's supposed to work and LE is breaking the rules, thus living
on borrowed time?

If it was possible to be so easy why no else did it? What is the secret
ingredient?

~~~
pfg
> Why do all the other CAs cost so much and take so long when the actual cert
> is generated in seconds?

I guess "so much" should be put in perspective: Domain Validation
certificates, like the ones Let's Encrypt issue, are not really expensive -
resellers typically offer them for something like $10/year. The more expensive
certificates - OV and EV - involve some degree of manual verification of the
information on the certificate (such as the company name). That's a large part
of the cost.

But yeah, commercial CAs are (were?) money printing machines. Running Let's
Encrypt costs about $3M/year, and they support >20M active certificates.
Commercial CAs are going to have some marketing and support expenses, but the
rest would be profit.

> Isn't that how it's supposed to work and LE is breaking the rules, thus
> living on borrowed time?

All CAs (should) follow the same set of rules - the Baseline Requirements.
Let's Encrypt has had a pretty good track record so far - definitely better
than some of the big commercial CAs like Symantec or Comodo.

> If it was possible to be so easy why no else did it? What is the secret
> ingredient?

To be fair, they were not the first free CA - both StartSSL and WoSign offered
free DV certificates (for non-commercial usage). Not the best examples, I
suppose.

Cloudflare offered free SSL (via Comodo) for their customers as well, as does
cPanel via AutoSSL It's definitely viable, just took some time for people to
care enough about encrypting the web to make it happen.

~~~
e12e
> But yeah, commercial CAs are (were?) money printing machines.

Which is how we got Canonical/Ubuntu (and how Shuttleworth could afford to be
a space tourist):

[https://en.wikipedia.org/wiki/Thawte](https://en.wikipedia.org/wiki/Thawte)

------
schoen
Somewhat related: [https://www.eff.org/deeplinks/2016/12/https-deployment-
growi...](https://www.eff.org/deeplinks/2016/12/https-deployment-growing-
leaps-and-bounds-2016-review) (my post on HTTPS deployment improvements during
2016, a whole lot of which involved Let's Encrypt)

------
Fej
My experience with Let's Encrypt hasn't been great, but that's not LE's fault.
Long story short, don't use Namecheap, at the very least not their shared
servers.

From their support:

"Though we believe increased web security is a good thing, we also think that
using certificates from free providers can get more risk and uncertainty into
your business. Additionally, we would like to draw your attention to several
disadvantages and drawbacks of Let's Encrypt certificates:

1\. No OV/EV support or possibility (no possibility to issue a certificate
with medium or high assurance and user trust level);

2\. Insufficient level of domain validation and the absence of brand
validation ( All publicly trusted CAs are flagging the certificate containing
IT, financial and other public words, brands etc for additional security
checks, which is not applicable for LE.)

3\. Short validity period (for LE certificates - only 90 days, for all trusted
certificate provides - up to 39 months).

Since the nature of shared and reseller hosting implies having a significant
number of independent customers' accounts on the same server instance, we
cannot put at risk our other clients by enabling not fully secure technology.

These and other concerns (for example the fact that ACME-script for Let's
Encrypt requires root access and is able to overwrite server configs) make us
refrain from supporting Let's Encrypt on our shared servers. We hope for your
kind understanding on the matter."

\----------

Feel free to reply with other hosts that don't support LE, so I can avoid them
(and hopefully others too!)

~~~
devwastaken
"These and other concerns (for example the fact that ACME-script for Let's
Encrypt requires root access and is able to overwrite server configs) make us
refrain from supporting Let's Encrypt on our shared servers. We hope for your
kind understanding on the matter."

This is one of the problems I've had with LE, and the community defends it by
saying that there are other tools, and forks of tools you can use, when the
problem with those is that they could easily go out of date if LE changes
anything and they'd never be fixed. Updating your certificates needs to be
done in a reliable and contained manner, but nobody wanted to admit that LE
tools doesn't do that.

I don't recommend LE unless you're actively maintaining a server and can
invest the time into creating your own contained update script. I know hosters
like Dreamhost have it built in and will auto-update for you, which is nice.

------
artursapek
I can't think of a single person or entity that has a reason to dislike LE
(except for the for-profit certificate companies, maybe).

~~~
dpwm
We live in a world where people take strong and increasingly indecipherable
stances on the things they know almost nothing about.

There are unpaid supporters for three-letter agencies who have made moves to
ban encryption. With LE anyone can obtain a certificate and set up an in-
memory ephemeral message board that uses "unbreakable encryption." I don't
know of any people who would be able to explain how to implement cryptography
actually taking this stance.

There are apologists for the rent-seeking behaviour of academic journals,
usually ill-informed (wrongly assuming that editing and peer review are not
volunteer positions) and repeating arguments verbatim from those on the
payroll that happen to resonate with whatever political line they follow.
Still, they themselves are not on the payroll.

I can imagine, given sufficient technical knowledge or an article aimed a mass
audience, certain pro-market contrarians could definitely find reason to hate
this. Maybe even twice.

If you're genuinely pro-market, you should have no problem with an industry
that pools funds to mitigate rent-seeking behaviours of an oligopoly, reduce
the cost of a product for which there is no substitute and increase
utilisation of other resources.

------
ns8sl
btw there if you are not totally comfortable with certbot, there is a free
monitoring service at [https://letsmonitor.org](https://letsmonitor.org)

~~~
breakingcups
That's a bit odd. "It’s completely free." vs. "Register for a LetsMonitor.org
Free Trial"

Which is it?

------
LinuxBender
Is there a list of major B2B and eCommerce sites using LE for their primary
customer facing sites? This would be useful if our customers brought it up.

Are there any plans or water-cooler discussions around supporting wildcard or
multi-sub-domain SAN wildcard certs?

~~~
pfg
> Is there a list of major B2B and eCommerce sites using LE for their primary
> customer facing sites? This would be useful if our customers brought it up.

W3Techs[1] is generally a good source for this kind of information.
Themeforest seems to be using them, for example. (Certificates issued by Let's
Encrypt are counted under the IdenTrust root on W3Tech, since that's the CA
that cross-signed Let's Encrypt.) Generally speaking, they get used on low-
traffic sites (compared to the other major CAs), but that's not really
surprising.

[1]: [https://w3techs.com/technologies/details/sc-
identrust/all/al...](https://w3techs.com/technologies/details/sc-
identrust/all/all)

~~~
LinuxBender
I had not seen that site before, thank you! I will keep an eye on the popular
sites using IdenTrust.

------
jwilk
What does "y" mean on the graph labels?

~~~
clowd
I'm going to go with "y axis" but it's just a guess.

------
skrowl
Still no official client for IIS. Maybe in 2017!

