
Entering Public Beta - sinak
https://letsencrypt.org/2015/12/03/entering-public-beta.html
======
kubaw
You may also want to try alternative client from
[https://github.com/kuba/simp_le](https://github.com/kuba/simp_le). It can be
easily dropped into crontab and renew certificates when necessary.

Disclaimer: I'm the author of simp_le and developer of the official client :)

~~~
iheartmemcache
Ehhhh, so I get why you made this, but at the same time, LetsEncrypt
intentionally chose 90 days for the duration of the certs. Presumably because
renewing a cert is a positive confirmation that you still retain ownership.
You _actively_ performed an action that declared: hey I still retain control
of this and it hasn't been compromised. (as opposed to other states your cert
could be in -- abandoned, compromised, password forgotten and you were too
lazy to get the cert revoked-- trust me, engineers made cron because we were
lazy especially when it comes to mundane things).

This is around-about way of saying that 90 days was a well-thought out
duration to issue a cert and the process of renewing it _manually_ is there as
a positive (rather than passive) confirmation you retain control. These guys
are doing a public service, on par with archive.org and the EFF. I'm not sure,
but even though I've been using cron since before I was a teenager, I'm not
throwing that entry in.

Edit: Whoops, so I was half-wrong, mea culpa.
[https://letsencrypt.org/2015/11/09/why-90-days.html](https://letsencrypt.org/2015/11/09/why-90-days.html)
Part 1 addresses the security issue I brought up, and part 2 endorses
automation. My mistake.

~~~
detaro
Let's Encrypt gives encouraging automation as a reason why they choose 90
days:

 _They encourage automation, which is absolutely essential for ease-of-use. If
we’re going to move the entire Web to HTTPS, we can’t continue to expect
system administrators to manually handle renewals. Once issuance and renewal
are automated, shorter lifetimes won’t be any less convenience than longer
ones._

[https://letsencrypt.org/2015/11/09/why-90-days.html](https://letsencrypt.org/2015/11/09/why-90-days.html)

~~~
dingaling
That philosophy is perplexing because system admins already have to manually
handle things like software upgrades. Unlike SSL renewals, upgrades usually
occur to an arbitrary frequency yet admins seem to be able to cope.

I'd also contend that 90 day expiry makes end-users less sensitive to
certificate change notifications; at present if a website renews its cert
after a year I receive a pop-up and I pay attention. Receiving one every 60
days will just condition people to start ignoring cert changes, whether valid
or not.

~~~
sbierwagen
What? No browser displays a notification when a website changes its cert. It
doesn't even show you a notification if it changes its _key,_ that's the whole
point of key pinning:
[https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinn...](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)
(A pin failure results in a _non-bypassable_ HTTPS error:
[https://projects.dm.id.lv/Public-Key-
Pins_test](https://projects.dm.id.lv/Public-Key-Pins_test) )

~~~
TheDong
The most popular way to get that is: [https://addons.mozilla.org/en-
US/firefox/addon/certificate-p...](https://addons.mozilla.org/en-
US/firefox/addon/certificate-patrol/)

I personally no longer use it because of all the noise, even before lets
encrypt.

------
diafygi
FYI, if you don't want to install anything to try it out, you can use
[https://gethttpsforfree.com](https://gethttpsforfree.com) which is a browser-
based ACME client. It doesn't ask for private keys, so you don't need to trust
it.

~~~
necessity
I'm a layman when it comes to secure websites and certificates. I remember
reading that the "free https" provided by Cloudflare meant Cloudflare owned
the private keys to something and was able to see all traffic. Is that the
case with Let's Encrypt? Because if it is I don't see as an improvement at
all.

~~~
atonse
No, you never send your private key to anyone, with any HTTPS certificate
generating scheme.

All they do is sign your public key.

~~~
ge0rg
At least you should not. StartSSL (and probably other CAs) has a prominent
feature to create your key pair for you, which you need to skip to use a
signing request. Always use the latter!

------
pfg
Happy to see this project hit public beta! I've deployed Let's Encrypt on a
couple of side projects during the last month or so, and my experience has
been mostly positive.

The official client still needs some work, especially in terms of auto-
configuration on apache, nginx and others, but it's getting there. Some say
it's become a bit bloated, which is true to a certain degree, but probably
necessary to achieve the goals they have set for it.

Luckily, Let's Encrypt is based on an open specification (ACME) and it's
really easy to implement a custom client. There are already more than 10
client implementations out there[1], all created with different goals in mind
- anything from a Ruby gem to a simple scripts to get your own CSR signed. If
you're not running your typical LAMP or LEMP stack, and don't want to run the
official client which is more of a certificate manager requiring root access,
that's definitely something to look into.

Note that if Windows XP support is relevant for your use-case, you might want
to hold off. There's currently a problem with how XP deals with name
constraints, which means any application using Windows XP's SSL API (I believe
it's called schannel?) won't work - for example Internet Explorer and Chrome.
This might get fixed in the future[2]. Hopefully, that's not relevant to you.
:)

[1]: [https://community.letsencrypt.org/t/list-of-client-
implement...](https://community.letsencrypt.org/t/list-of-client-
implementations/2103?u=pfg) [2]:
[https://github.com/letsencrypt/letsencrypt/issues/1660](https://github.com/letsencrypt/letsencrypt/issues/1660)

~~~
StavrosK
I love this one in particular:

[https://github.com/diafygi/acme-tiny/](https://github.com/diafygi/acme-tiny/)

~~~
_asciiker_
Very good indeed!

------
mholt
Here's a Go client that has no dependencies and runs everywhere:
[https://github.com/xenolf/lego](https://github.com/xenolf/lego)

~~~
tshannon
I just used it, and it works beautifully. Much easier and less impact than the
official client.

Thanks,

------
mei0Iesh
They keep trying to push the idea that letsencrypt should be ran as root. If
you disagree with that, I ran it as a normal user using:

    
    
        letsencrypt -t --work-dir /tmp --logs-dir /tmp \ 
        certonly --webroot /www/public -d example.com
    

Except on my system the letsencrypt command did not work. It failed with an
"Operation not permitted". So I edited the webroot.py file, and commented out
line 108 that said:

    
    
        # Remove execution bit (not needed for this file)
        os.chmod(path, filemode & ~stat.S_IEXEC)
    

It ran fine without root, sudo, or su.

Then I added this to nginx.conf:

    
    
        listen 443 ssl http2;
        ssl_certificate /usr/local/etc/letsencrypt/live/example.com/fullchain.pem
        ssl_certificate_key /usr/local/etc/letsencrypt/live/example.com/privkey.pem
    

It gets an A+ on ssllabs.com, and it works fine in the browser. When I click
the lock it says "Let's Encrypt".

~~~
simoncion
> They keep trying to push the idea that letsencrypt should be ran as root.

When you say it that way, it sounds like there's something untoward going on.
;)

From what I understand, the official client _can_ bind to port 80 to do Basic
HTTP verification. This requires root privs. The official client can also
update many HTTP server config files. I guess you don't need to be root to do
this, but it does remove a command line flag. LE is designed to be stupidly
simple, but -as you've discovered- it does let more technical users run it in
safer modes of operation.

> Except on my system the letsencrypt command did not work. It failed with an
> "Operation not permitted".

Odd. If I'm reading the code correctly, it looks like you have to have write
and create privs to 'path', so it's odd that you wouldn't also be able to
remove the execute bit.

Regardless, would you file a bug about this or -at least- bring it up on the
mailing list? It's possible that this is user error, but if it's not, I expect
that it's something the LE guys would like to hear about.

~~~
skydev0h
Actually... its chown that is failing, which is very logical: only root can do
chown.

------
hlandau
I'm the nth author of an ACME (Let's Encrypt) client. It's a single-binary Go
client which you can build and upload to your server. It's designed to work
like "make"; you tell it what hostnames you want certificates for, and it
tries to satisfy those requirements. It can install a cronjob automatically
for autorenewal, and the authorization process doesn't require downtime.

[https://github.com/hlandau/acme.t](https://github.com/hlandau/acme.t)

~~~
helfire
Out of all the clients I tried yesterday, this one seemed the most thought out
in terms of usability and operations with automation.

------
davexunit
The official lets-encrypt client has an extremely large dependency graph, and
using the client requires server downtime since it takes over port 80. Can
either of these things be improved?

~~~
ultramancool
Yes, this greatly annoyed me too especially given the 3 month expiry time.
[https://github.com/diafygi/acme-tiny](https://github.com/diafygi/acme-tiny)
is a tiny alternative client without any dependencies (except python itself),
and you can use any web server including your usual running one to serve the
challenge responses up.

~~~
wbond
It also requires the openssl executable in your path.

~~~
diafygi
Luckily, it's less than 200 lines and open source! Please feel free to fork it
and modify for your needs :)

~~~
wbond
I was just clarifying for other readers. I looked through it because I've been
working on some Python crypto stuff for a while, so I was curious what it used
since the statement above was that it only required Python.

------
barosl
For those concerned with the official client requiring `sudo`: there are
already many alternative clients that are compatible with the Let's Encrypt
server, mine included.[1]

I made my own client because I wanted to know what's exactly going on during
the certificate issue process. I tried to make the code as simple as possible,
so take a look if you have time![2] It's a simple single file script.

[1] [https://github.com/barosl/letsencrypt-
simple](https://github.com/barosl/letsencrypt-simple)

[2] [https://github.com/barosl/letsencrypt-
simple/blob/master/let...](https://github.com/barosl/letsencrypt-
simple/blob/master/letsencrypt-simple.py)

------
binwiederhier
In case anyone is looking for an actual cronjob example. This works
wonderfully:

    
    
      #!/bin/bash
      cd /srv/cert/domain.xyz
      simp_le -d domain.xyz:/srv/www/domain.xyz/html \
         -f key.pem -f cert.pem -f fullchain.pem \
         && service apache2 reload
    

And in the crontab:

    
    
      43 1 * * * /srv/bin/cert-renew || true
    

EDIT: This is using the simp_le client
([https://github.com/kuba/simp_le](https://github.com/kuba/simp_le)), not the
official client. But this one is wayy easier to use.

EDIT 2: Guide here: [https://blog.philippheckel.com/2015/12/04/lets-
encrypt-5-min...](https://blog.philippheckel.com/2015/12/04/lets-
encrypt-5-min-guide-to-set-up-cronjob-based-certificate-renewal/)

~~~
bronson
It should be noted that this isn't using LetsEncrypt's client.

~~~
binwiederhier
Yes, correct. This is using the simp_le client (as mentioned in
[https://news.ycombinator.com/item?id=10672006](https://news.ycombinator.com/item?id=10672006)).
The client is easier to use and developed by the same author as the official
client. Works wonderfully.

------
sinak
EFF's post on the beta, including details on the roadmap:
[https://www.eff.org/deeplinks/2015/12/lets-encrypt-enters-
pu...](https://www.eff.org/deeplinks/2015/12/lets-encrypt-enters-public-beta)

~~~
mtgx
Looks like Certificate Transparency isn't on the roadmap? What's the holdup on
that? Seems like a perfect match for something automated like Let's Encrypt.

~~~
pfg
Certificates are already being pushed to CT log servers.

~~~
rockdoe
SSL Labs claims there's no CT support, but I must admit I'm at a loss if this
is a server configuration issue or not.

------
denisu
I have seen many howtos recommending to add a monthly cronjob for the
certificate renewal on the first day of the month at 12am (0 0 1 * * or
@monthly). It is probably better to renew the certificate on a random day/time
(30 4 5 * *) to prevent excessive load on their servers.

~~~
mrw34
A RANDOM_DELAY is actually built into @monthly, at least on RHEL/CentOS 6+.

------
Savagedlight
If you're using FreeBSD and NGINX you may like the guide I wrote the other
day. :) [http://savagedlight.me/2015/11/24/lets-encrypt-on-a-
freebsd-...](http://savagedlight.me/2015/11/24/lets-encrypt-on-a-freebsd-
nginx-reverse-proxy/)

PS: I also made a cron-callable script which checks the expirity time of the
cert before telling letsencrypt to renew. It checks if the cert was renewed
afterwards, and echos to stderr if renewal didn't take.

------
mei0Iesh
Now that it's public, and I verified it works...

[https://letsencrypt.org/donate/](https://letsencrypt.org/donate/)

------
SwellJoe
This is among the most exciting things going on in the web world, for me. It's
a pretty dramatic change that now every website can be encrypted, by default,
and in a secure(ish) fashion (it doesn't really do much for proving identity,
but SSL has been broken for that for years anyway).

I suspect integrating this has been the most requested feature for Virtualmin
for the past several months (and we're about to roll it out, probably next
week). For whatever reason, SSL is just always intimidating for people...even
when it's been almost entirely automated, the back and forth between the CA
and the server and dealing with private keys is a deal-breaker for a lot of
non-technical users, so many of our users who are new to web server management
have problems with SSL. It follows close behind DNS in terms of how much
confusion it causes.

Anyway, I love that Mozilla and others took the initiative to pull this
together, and used their not insignificant clout to push it to completion.

~~~
mei0Iesh
What else is exciting? This is the most exciting thing for me, which is
actually pretty sad. It's 2015, and HTTPS still isn't widespread, and
something like this wasn't done before? It's a good little new thing, but it
doesn't really push anything forward. It feels like we're still where we were
a decade ago.

~~~
SwellJoe
PHP 7 is a pretty big deal for our users, though not particularly to me
(though our websites run on Drupal, WordPress, and Mediawiki so we will get
some performance benefit from the change).

It does seem ridiculous that something like Let's Encrypt didn't happen
sooner. But, now that it's finally here, I'm excited about it. I like that we
can also expect mail to get more widespread encryption because of this, as
well.

------
grizzles
Java: I made a cron friendly script to convert the letsencrypt keys to JKS
format.
[https://github.com/ericbets/letsconvert](https://github.com/ericbets/letsconvert)

------
sleepychu
Any word on *.mydomain.tld certs from letsencrypt? That's the only thing
stopping me from installing it today.

~~~
simoncion
Is the ability to get any number of subdomain certs at no charge an adequate
substitute for wildcard certs?

~~~
detaro
It still might get annoying (for both sides) if you request thousands of them,
+ you might not want to publish a list of all valid ones. Example: The issue
came up in relation to sandstorm.io, which uses (for security reasons) a
subdomain for every document that exists on a server.

~~~
simoncion
Perhaps I'm ignorant, but I don't see how the _LE_ guys would be annoyed about
thousands of requests for TLS certs from a single user. The system _is_
automated, after all. :)

> \+ you might not want to publish a list of all valid ones.

I assume that you mention this to illustrate a scenario where certs with a
bunch of SANs is not a solution to the problem? If you weren't, does LE do
something like publishing a list of all of the domains for which they have
issued certs?

~~~
archimedespi
> but I don't see how the _LE_ guys would be annoyed about thousands of
> requests for TLS certs from a single user. The system is automated, after
> all. :)

We have to actually run a complicated server that does things with an external
Hardware Security Module. CPU time, disk space, and bandwidth all cost money,
and there's a finite amount of money we can spend on resources :)

Thus, rate-limits. That also helps keeps latency low for most users, and
prevents DDOSing.

------
nodesocket
Anyway to get a wildcard SSL certificate from Let's Encrypt? Mine is coming up
for renewal soon.

~~~
mynameisvlad
No, the whole point of LE is that you wouldn't need one because you'd
automatically get a named certificate for each one of your sites.

~~~
lucb1e
Ah you can get any number of certificates for each subdomain you wish?

Aside from dynamic subdomains, that would indeed solve the need for wildcard
certificates.

~~~
pfg
Yep, or one certificate for multiple subdomains (SAN certs).

------
SCHiM
How does lets encrypt handle possible phising domains?

Even if there's zero mitigation I think the benefits will outweigh the
downsides, but I wonder if there's anything that stops a criminal from
registering a domain that is very similar to, say, that of a bank?

I know from experience (ethical hack) that the traditional authorities won't
easily let you register 'suspicious' names like: <bank>-<name>.com where the
original domain is <bankname>.com. Or something like that.

~~~
pyvek
I'd like to know more about this. When you buy domain validated SSL
certificate (that costs $5-10) for which the process is completely automated,
does the issuing authority really check or care about which domain it is being
used on? Does a human (or a program) check the "suspicious factor" of the
domain?

~~~
chrisfosterelli
No. It's easy to currently register an SSL certificate for any domain, even if
that domain is similar to the name of another. The main reason this was a
"deterrent" to phishers is that generating tons of these was expensive.

The phishers still have to front the cost for the domain itself, so this
really isn't going to increase the number of phishing domains. It may increase
the number of phishing domains with SSL, but the purpose of Lets Encrypt is to
encrypt everything -- not just "official domains"

~~~
SCHiM
No you are wrong. Perhaps it's not the case everywhere. But like I said, from
personal experience I know that certain types of domains are checked. I tried
and failed to register a certificate for a phising domain that masqueraded as
a banking website.

whether or not this was originaly the point of ssl or not, this is how many
non-technical people decide to trust a page or not: by looking at the lock in
their browser.

~~~
chrisfosterelli
> No you are wrong. Perhaps it's not the case everywhere. But like I said,
> from personal experience I know that certain types of domains are checked. I
> tried and failed to register a certificate for a phising domain that
> masqueraded as a banking website.

I never said it's the case everywhere. I said it's easy to register an SSL
certificate for basically any domain you actually own, which is true. Basic
SSL certificates are not designed to provide extended validation (there is EV
certificates for that), they are designed to identify that domain.

------
esher
everyone interested in conspiracy, please read the comments over here:
[https://www.schneier.com/blog/archives/2014/11/a_new_free_ca...](https://www.schneier.com/blog/archives/2014/11/a_new_free_ca.html#comments)
when bruce schneier wrote about let's encrypt.

~~~
aw3c2
That's very overblown. Any CA in any place on the globe is in danger of being
taking on their balls by some shady state agency. That's the CA problem.

Doing this at huge scale is not possible though without people noticing. Also
one can pin certificates in some situations. Let's Encrypt makes it easy for
us people to put an end to mass surveillance.

~~~
chias
Unless I'm mistaken they're also fundamentally misunderstanding SSL/TLS.

As far as I can tell, LE never sees your private keys. A Certificate Authority
signs your _public_ key, so no, the NSA can't coerce LE to give up your
private key because LE never sees it to begin with. Could the NSA coerce LE
into signing one of the NSA's public keys under your Common Name (that is,
coerce them into issuing rogue certificates for "national security" use)?
Certainly, but they could do this before, with any already existing CA.

------
arca_vorago
What I would really like is wildcard certs for internal only use. For now, as
I understand it, the only way to do so would be to temporarily port forward
the internal server so it can reach out and close it later... Certs are not
just for the internet websites, they are important for Intranets too.

------
r1ch
Problems with a reverse proxy?

"There were too many requests of a given type :: Error creating new
registration :: Too many registrations from this IP"

First time trying to sign up and only for a single domain.

~~~
NikLP
I got this too. No idea why.

------
scoot
Dumb question time: Why would idenTrust, part of whose business is selling SSL
certificates, cross-sign for Lets Encrypt, whose business is giving them away
for free?

~~~
davisr
Probably for the publicity, because a lot of Let's Encrypt users will want to
upgrade to EV certificates at some point.

------
tokenizerrr
Does anyone know if their server supports DNS validation yet?

~~~
pfg
Not yet, but soon[1]!

[1]: [https://community.letsencrypt.org/t/on-the-state-of-the-
dns-...](https://community.letsencrypt.org/t/on-the-state-of-the-
dns-01-challenge/4805/2?u=pfg)

~~~
Perceptes
Is there a GitHub issue to track?

------
MarkMc
I know this late, but FYI: it seems that certificates issued by Lets Encrypt
are not as widely accepted as other commercial providers.

For example, my trial and error I found that the webhook api for both Mandrill
and SendGrid did not recognise the Let's Enrypt certificate (although Google
Chrome did recognise it). When I switched to a certificate issued by Name
Cheap both Mandrill and SendGrid worked.

~~~
pfg
Make sure you're serving the full chain to the root CA, that might be the
issue.

LE certs might have that issue with Java apps, since the cross-signed CA isn't
currently included in the Oracle root store (they're working on that).

------
chmike
Can we use the certificate for dovecot and postfix as well ? Would it be safe
? From the documentation it applies only to web servers.

~~~
trampi
I do, it works. Exim and dovecot.

~~~
chmike
What about this 90 days validity limit ? Do you update it with a script ?

~~~
trampi
Haven't been on the limit yet, but i have a small bash-script which will
revalidate them. I have a TODO to revalidate once manually when it is near
expiration. If the script works, i will probably throw it in a cronjob.

------
stevebmark
PSA: don't use ReadTheDocs for your documentation. Turns good projects sour
with a nasty UI, poor features, and horrible SEO.

~~~
archimedespi
Eh, it works and we care way more about that.

Anyhow, we can always switch the Sphinx theme, and your comment sounds more
like a complaint about Sphinx in general (which I don't happen to agree with,
but whatever).

------
xrstf
For those already using Let's Encrypt since the closed beta: Do not forget to
remove the `agree-dev-preview` flags, as newer client version do seem to throw
up if it's still set. I had `agree-dev-preview = True` in a config file and
got an error about True being an invalid value.

------
gradi3nt
Ignorant question: If they are making getting a certificate easy for everyone,
what is to stop "bad guys" from getting certificates for their sketchy sites?
I usually look to the green "https" in my uri bar for reassurance when I'm on
an unusual site.

~~~
M4v3R
Nothing will. Checking for https for validation whether author of a website
has malicious intents is wrong, SSL is not intended for that purpose. That's
the purpose of an EV cert, because it requires a company to prove its
identity, so the very least you can do is to look for green bar / company name
in the address bar.

~~~
gradi3nt
So then why is it important? What is the argument for encrypting all web
traffic? Does it act as a sort of camouflage for the actually important
encrypted traffic?

------
jstalin
Hoping for automation for Nginx...

~~~
jbverschoor
git clone
[https://github.com/letsencrypt/letsencrypt](https://github.com/letsencrypt/letsencrypt)
cd letsencrypt/ ./letsencrypt-auto (ignore the 'error'. It's because you don't
run apache)

/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w
/var/www/example.com/public -d www.example.com -d example.com (uses the public
directory for ownership check, and creates a cert for www.example.com +
example.com)

Then in your /etc/nginx/sites-enabled/example.com:

/etc/letsencrypt/live/www.example.com/fullchain.pem;
/etc/letsencrypt/live/www.example.com/privkey.pem;

Sorry.. you're asking for automation

------
awqrre
Can you use this on a shared host and avoid the certificate installation fee?

------
slavik81
I'm having trouble finding where it specifies what permissions I need to use
Let's Encrypt. Can I get a certificate for my subdomain even if I don't
control the full domain?

~~~
pfg
Yes, as long as you're able to host content at subdomain.example.com/.well-
known/acme-challenge/{random_token}, you're good to go!

------
AndyKelley
Does it work without port 80? Many home ISPs block port 80 which would prevent
homes from being able to use the service.

------
FPSDavid
Can't wait to start using this on nginx.

~~~
kangman
why don't you give caddy a try which has let's encrypt baked in.

[https://caddyserver.com/](https://caddyserver.com/)

~~~
Touche
This looks pretty cool, it doesn't explain how to use Let's Encrypt as far as
I can find in the docs, have an example?

EDIT: Looks like it's available in the latest prerelease.
[https://github.com/mholt/caddy/releases](https://github.com/mholt/caddy/releases)

~~~
mholt
Yep, check back tomorrow. Meanwhile here's a 28-second teaser video of it
working:
[https://www.youtube.com/watch?v=nk4EWHvvZtI](https://www.youtube.com/watch?v=nk4EWHvvZtI)

------
nulltype
Does renewing a certificate require completing a challenge, or is that only
for the initial certificate?

~~~
abricot
Also for renewing. Otherwise they can't be sure you still actually control the
domain.

------
rynop
From what I can tell, this does not support generating an SSL cert for use
with AWS ELB correct?

------
SunDwarf
Works flawlessly on my site. SSLLabs recognises the cert. Super easy to setup.

~~~
ultramancool
> Super easy to setup.

Yes, thank god I don't have to manually contact anyone like StartSSL or even
provide real contact information for this. It's just what it says - domain
validation, nothing more.

Interestingly, StartSSL did far more verification for their free certificates
than other providers I used for paid certificates, Comodo, GlobalSign,
AlphaSSL, etc.

------
wereHamster
How do I use it with Google Cloud HTTP Load Balancer?

------
pjbrunet
"We want to see HTTPS become the default."

Sounds fine for shopping, online banking, user authorizations. But for every
website? If I'm a blogger/publisher or have a brochure type of website, I
don't see point of the extra overhead.

Update: Thanks to those who answered my question. You pointed out some things
I hadn't considered. Blocking the injection of invisible trackers and
javascripts and ads, if that's what this is about for websites without user
logins, then it would help to explicitly spell that out in marketing
communications to promote adoption of this technology. The free speech angle
argument is not as compelling to me though, but that's just my opinion.

~~~
pfg
Without HTTPS, any MitM could inject ads, malware, or simply manipulate any
content on your blog. TLS isn't just useful to encrypt private data, it also
makes sure what you see is what the site owner wanted you to see. With http/2,
the overhead is minimal and with TLS 1.3 it might soon be gone completely
(since it's probably going to add a mode that avoids multiple round trips for
the initial TLS handshake; encryption itself isn't really an issue nowadays
with AES-NI, etc.)

~~~
Someone1234
And this isn't a theoretical threat either, actual ISPs have been injecting
adverts, trackers, and other content into third party websites. Even in the
US.

See:

[http://arstechnica.com/tech-policy/2013/04/how-a-banner-
ad-f...](http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-
ok/)

[http://www.infoworld.com/article/2925839/net-
neutrality/code...](http://www.infoworld.com/article/2925839/net-
neutrality/code-injection-new-low-isps.html)

[http://www.makeuseof.com/tag/two-ways-your-isp-is-spying-
on-...](http://www.makeuseof.com/tag/two-ways-your-isp-is-spying-on-you-and-
how-to-be-safe/)

~~~
pjbrunet
Yes I'm aware of that. But guess what, ISPs no longer do that because they
were sued and lost.

~~~
pjbrunet
OK Someone1234, I was not aware of that. So what ISPs should we avoid now?

~~~
simoncion
Pro tip: If the "reply" thingie on a comment is missing, click on the
comment's timestamp to load the comment itself and a reply thingie will
appear.

~~~
pjbrunet
Good to know, thanks.

