
Early Impacts of Let's Encrypt - tdurden
https://tacticalsecret.com/early-impacts-of-letsencrypt/
======
comex
Wow. Public beta for 2.5 _months_ and already 700,000 certificates issued,
more than a third of the largest competitor's number, about 10% of the entire
secure Web.

There certainly seems to have been pent-up demand.

~~~
toyg
There is always pent-up demand for a previously-expensive service to become
free.

~~~
jonlucc
There were free options. I think the biggest benefits to Let's Encrypt are the
EFF's clout and the simplicity.

~~~
toyg
No there were not. Free options meant untrusted certificates or short-lived
certificates that could not be renewed.

LE made SSL free, trusted and long-term. You could have made it twice as hard
to do the initial setup and people would have jumped at the opportunity
regardless.

~~~
pfg
StartSSL and WoSign have been offering free, publicly trusted certificates
with one year lifetimes (and the ability to renew for free) for quite some
time.

The former doesn't allow commercial usage, while the latter operates in China.
That's probably why it wasn't an option for a lot of people. (That, and the
terrible UX at least in StartSSL's case.)

~~~
_ak
StartSSL isn't free. They charge for certificate revocation.

~~~
beefhash
Furthermore, their free certificates cannot be used for commercial purposes.

~~~
mehrdada
I don't know why your comment is downvoted -- this is acutally a legitimate
issue mentioned in their terms of service.

~~~
nailer
StartSSL generally don't mention their terms, so a lot of the use of 'StartSSL
Free' is commercial. People don't like to hear they've been misled (and shoot
the messenger).

~~~
vsl
They actually started policing this and refuse to renew a certificate if they
decide it's a commercial use. Happened to me and rather than argue with them
(it wasn't), I bought a $5 one at ssls.com...

------
sansidentity
Hypothetical. If I run a website for a small town public library that only
serves information, ie no user accounts and no logins on our domain, is there
a valid reason for me to go through the process of https and certificates?
Plus I'm on a shared host. I briefly looked at the install doc on letsencypt
and while it's clear it's easier than it used to be I am uncertain my shell
access will give me the necessary permissions to even accomplish it without
upgrading to something thing like a vps or administering my own vm with a
cloud provider. Which is honestly something I am less than interested in doing
if I can help it. Keeping a Web server secure is seems brutal to me.

~~~
Titanous
Yes, there are many reasons to deploy TLS everywhere, and everyone should be
working towards it for these reasons:

\- Increased resistance to surveillance. Instead of seeing the
pages/information that a client downloads from your server, state actors,
ISPs, local attackers, and anyone else listening only learn that the client
downloaded some bytes from your server.

\- Mitigation of man-in-the-middle and man-on-the-side attacks against your
website. These can be as simple as someone attacking a local open Wi-Fi access
point to sophisticated attacks like the Chinese DDoS against GitHub and the
NSA's QUANTUM INSERT. Potential attacks range from replacing/rewriting
information to attacking client machines with browser exploits.

\- Better SEO rankings, Google weighs HTTPS sites higher than their equivalent
insecure plaintext.

If you need a shared host that supports HTTPS, take a look at DreamHost, they
have a free one-click Let's Encrypt integration.

~~~
awqrre
I pay $5/month for my shared hosting for 100GB disk space and unlimited
bandwidth but it doesn't support HTTPS...

~~~
everfree
Sorry to hear that. HTTPS (via SNI and user-uploaded certificate) doesn't cost
the hosting provider anything to support, so it seems like yours is just
behind the times.

------
jvehent
tldr: Let's Encrypt is achieving its original mission: help people use TLS on
domains that were previously insecure, and make the internet a safer place.

> In the first quarter of its' operation then, Let's Encrypt has far and away
> been used more to secure previously-unsecured (or at least untrusted)
> websites than simply as a cost-savings measure.

------
yoha
For anyone struggling with creating Let's Encrypt certificates (or just as
lazy as I am), try out
[https://gethttpsforfree.com/](https://gethttpsforfree.com/) .

~~~
TazeTSchnitzel
The CLI version of the LE client is pretty simple to use. Literally one
command line.

~~~
bogus-
Yes, it's almost too convenient. Lazy me is still slightly miffed that auto
nginx is not fully supported, however.

~~~
schoen
Sorry for the delay. It's turned out that parsing is hard, especially in the
absence of a formal grammar for configuration file formats!

If you don't need the certs automatically installed, nginx users are generally
doing well with the webroot plugin (which automatically creates files to
perform the ACME challenge, regardless of what webserver is serving those
files). This will also work for renewal, as long as you're able to do the
initial configuration of your nginx to work with the certs you get.

------
ralmidani
Just the other day, we finished a "dry run" deployment of our new app for
small businesses on a Digital Ocean droplet running Debian and Apache (our app
is Ember and Django). Let's Encrypt was the final step.

We followed the instructions provided by DO[0], and aside from our mistake of
leaving a previous attempt as a Virtualhost on port 443, the client just works
out-of-the-box.

It automatically detects which file has the Virtualhost for port 80, asks you
if you want to force redirect to https, copies your script to a new file with
a Virtualhost on port 443 (adding SSL and telling Apache where to find the
certs), and enables the site for you. Needless to say, my pair programmer and
I were impressed thoroughly.

[0][https://www.digitalocean.com/community/tutorials/how-to-
secu...](https://www.digitalocean.com/community/tutorials/how-to-secure-
apache-with-let-s-encrypt-on-ubuntu-14-04)

~~~
obituary_latte
Sorry if I'm not understanding, but so it generates an httpd.conf for you?

~~~
schoen
The apache plugin for the Let's Encrypt Python client can edit apache
configuration files (one of the most complex and hard-to-get-right but also
one of the most convenient features of the client). There is also an nginx
plugin which is significantly more experimental and which also edits nginx
configuration files.

------
ratsbane
I tried Let's Encrypt for the first time a week or two ago and was really
impressed. This is the way to do it. Well done!

------
ShakataGaNai
So one thing that would be interesting to take a look at from this dataset is
wildcard vs non-wildcard. My employer has two wildcard certs for public sites
(purchased from your standard vendors) and that's all that is required (for a
lot of places). However one of my personal domains I play with a lot of
technologies, all on their own subdomains. So for that single domain I
probably have 10 LE certs (and yes, none of these were secured before).

So maybe it's not wildcard vs non-wildcard, it's limit the datasets to root
domain names?

------
loumf
It's nice that it's free, but if you have the means (like, you are using it
for a business), please consider donating some of your savings.

------
tootie
I've used them a bunch. We host a lot of internal-facing utilities that are
low-profile, but occasionally hosting sensitive data. In the past I couldn't
convince managers to spend money on certs even if the cost of someone
stumbling on these sites could be very high and certs are cheap. Now I don't
even have to ask.

~~~
diafygi
Keep in mind that Let's Encrypt publishes a searchable list of all domains
issued.

[https://crt.sh/?Identity=%25&iCAID=7395](https://crt.sh/?Identity=%25&iCAID=7395)

~~~
tootie
Why?

~~~
technion
They are following that Certificate transparency standard that, eventually,
everyone will need to follow.

It's already a requirement for anyone issuing EV certificates.

Note crt.sh is actually a Comodo website, for interrogating the CT logs.

------
jchomali
I started using Let's Encrypt for a new app backend that I am building. I find
very useful its free service as it give developers the opportunity to use
secure servers to keep users privacy and server's security for free

------
spinlock
Is this a typical workflow for statistical analysis? The choice of go and
mariadb seemed unique to me and I was wondering what others were using.

~~~
chillydawg
MariaDB probably because the data he had was already in mysql/maria format or
he had a meaty mariadb server set up. Go: it's easy to hack stuff together.
Generally speaking, statistical analysis of stuff boils down to whatever
you're comfortable with and what your goals are.

------
ex3ndr
So, Let's Encrypt became 4-th in the world by amount of certs? Am i right?

~~~
pfg
4th largest counting certificates that are either on Certificate Transparency
Log servers or in censys' data set.

CT logs are populated by CAs sending their certificates to log servers. Only a
few CAs (including Let's Encrypt) do this consistently at the moment, since
it's only mandatory for EV certs (for now), and CAs generally move rather
slowly. Certificates encountered by Googlebot during web crawling also get
pushed to their log servers. Censys probably does something similar.

It's possible that there's a large number of certificates issued only for
internal systems that would not end up on CT log servers and that are not
accessible by public crawlers, so the numbers are probably not painting a full
picture. It is, however, as close as you can get to the full picture unless
every CA is willing to release their internal numbers.

------
forlorn
It doesnt support browsers in Windows XP and it is the only annoying thing
which forced me to rollback letsencrypt. I know it is 2016 but complaining
clients is not what you want anyway.

I still have no idea if they are able to fix this in future.

~~~
onuras
I installed Windows XP few days ago, Letsecrypt certificates are working fine
on Firefox 43, it just doesn't work if you are using SNI and IE8. Haven't
tried Chrome but it must work.

~~~
heinrich5991
Firefox uses its own certificate store, that's why it works on Windows XP.
Chrome and Internet Explorer will likely not work, because they use Windows
XP's certificates, which don't include trust for Let's Encrypt.

~~~
pfg
Their root certificate is currently not trusted by any browser vendor. They
have a cross-sign from IdenTrust, which is trusted even by XP. However, their
intermediate certificate uses a name constraint in a way that causes schannel
(Microsoft's TLS stack) on XP to think they're not allowed to issue
certificates for _any_ domain name. Chrome and IE use schannel, while Firefox
ships its own TLS stack. This bug was fixed in newer versions of Windows. This
_might_ get fixed if someone finds a way to generate an intermediate cert that
doesn't trigger this bug (while still including the *.mil constraint).

------
MCRed
Does anyone know where one can get a free wildcard certificate? Need it for
development and foo/bar/baz/biff.example.com change names regularly (they
include the hash of the code commit) so I would like to get a
*.dev.example.com wildcard cert. (one that won't give warnings that scare the
business types who are testing the code, and won't understand what self-signed
means.)

~~~
toupeira
If it's just for local development, you can make a self-signed certificate and
add it as trusted to your browser(s).

~~~
rckclmbr
To anyone wondering, this is also what the "big boys" do, so dont feel like
this is a hack. Most big companies have their own company root CA, and install
that cert on their company computers. They then have all internal apps use a
cert signed with that root CA (or derivative thereof)

~~~
zorked
And that's how the CA system is actually supposed to work. You add to the
trust store those entities you trust rather than those that are trusted by the
browser makers...

------
vbezhenar
I used StartSSL and WoSign certificates for all websites I had to setup, but I
welcome that initiative and my next website will certainly use LE certificate.
While it was technically possible to issue free certificates before, LE looks
much safer option. After all StartSSL and WoSign are both commercial entities
and they can do what they want.

------
pfg
Slightly OT: It would be great if CT logs were available as part of Amazon's
or Google's public data sets. Being able to access that data via BigQuery (or
similar) would make generating something like this way easier. It would also
be immensely useful when implementing CT log monitors.

~~~
vgt
ping me and we can help you get this going with BigQuery :)

~~~
pfg
Would be happy to help! Email on my profile (sorry, didn't find yours).

------
dk8996
I got to say AWS Certificate Manager is a game changer -- it took me 5 min to
secure two domains. Last time I did it, buying a certificate and converting to
work with AWS took about four hrs.

------
jchomali
I started using Let's Encrypt for a new app backend that I am building. I find
it very useful as it give developers the opportunity to use secure servers to
keep users privacy and server's security for free

------
jchomali
text

