

Let's Encrypt Developer Preview - julianj
https://github.com/letsencrypt/lets-encrypt-preview

======
Someone1234
This is going to sound super ungrateful but...

If they already have the CA stuff ready can they just release that? I don't
really care about their auto-magical tool which is meant to reconfigure your
server for you. Configuring Apache/IIS etc is not that complex, the only
reason I don't have a certificate on my private website is because the
certificate costs more than the hosting annually (literally).

Plus I'm never going to run this tool even when it is production ready. I
don't trust random tools to reconfigure my system, and would prefer to
manually follow tutorials so it is easy to undo every change or at least be
aware of exactly what changes got made.

~~~
btreecat
> because the certificate costs more than the hosting annually (literally).

So what you are saying is that because you can get an SSL cert free from
startcom, that your hosting provider is paying you?

[https://www.startssl.com/?app=1](https://www.startssl.com/?app=1)

~~~
nadams
I don't think anyone is home:

[https://forum.startcom.org/viewforum.php?f=8](https://forum.startcom.org/viewforum.php?f=8)

After I saw the state of their forums/community I ran, not walked, away from
their service. Which is rather scary considering they are a trusted CA...

I think really the only reasonable thing to do is pay $15/yr for any site that
other people will use and use your own CA for your personal projects.

Getting CA certs into Android however is whole other issue...

~~~
scrollaway
Good god. I knew StartSSL was bad, but not this bad.

I usually buy certs either through Gandi.net (which has a good "free
certificate" program with its own domains), or COMODO through Namecheap as a
reseller.

------
flecno
You should really see
[http://media.ccc.de/browse/congress/2014/31c3_-_6397_-_en_-_...](http://media.ccc.de/browse/congress/2014/31c3_-_6397_-_en_-
_saal_6_-_201412301400_-_let_s_encrypt_-_seth_schoen.html#video)

~~~
Spooky23
Thank you. This was a really informative, excellent talk.

------
IgorPartola
Does anyone know whether this initiative will provide wildcard certs? Or will
this be restricted to single domain certs?

~~~
Spooky23
They will do multi-domain certs, but no wild cards.

Also, you can reissue certs with added SANs

------
hrjet
I was looking at the how it works[1] article but it isn't clear to me how the
domain is validated.

Couldn't an MITM between the LetsEcnrypt service and the example.com server
request a certificate, then respond to the challenge, and then use that
certificate later?

Getting a certificate from StartSSL was similar. The only difference was that
there was a human involved in the loop (a mail is sent and the user has to
copy paste the contents of the email), but in essence, both the services seem
vulnerable.

This seems to be an unsolvable bootstrapping problem, unless some sort of
physical verification is done.

What am I missing?

[1]:
[https://letsencrypt.org/howitworks/technology/](https://letsencrypt.org/howitworks/technology/)

~~~
vertex-four
The protocol asserts that you have control over the domain, and over a machine
that can be accessed at the domain's A record. If you can make your machine
appear to be at google.com from the perspective of LetsEncrypt for the
duration of the request process, you can get a cert from them.

This is standard for _all_ domain-validation-only certificate authorities,
i.e. the cheapest cert you can get from any given company.

