Welcome to WebmasterWorld Guest from 54.90.204.233

Forum Moderators: phranque

Message Too Old, No Replies

Let's Encrypt Now In Public Beta:Anyone Can Get Free HTTPS Certificates

     
10:43 am on Dec 4, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25913
votes: 873


According to the latest news from Let's Encrypt, the foundation providing a free, automated and open certificate, it's now in public beta, which means anyone can now get a certificate at no cost.

Let's Encrypt is from Internet Security Research Group (ISRG), which is a California public benefit corporation, supported by a number of organisations, who's members include, Mozilla, Electronic Frontier Foundation, Cisco, Akamai, and others, along with new member, Facebook.

[letsencrypt.org...]
11:24 am on Dec 4, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Oct 5, 2012
posts:920
votes: 181


I love the concept, not sure about open source security but it should be a good thing.

Sadly, when I look at their site all I see is a $10k do-follow link opportunity....
11:30 am on Dec 4, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25913
votes: 873


Here's the technical page, for those that want it [letsencrypt.org...]
6:34 am on Dec 5, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 4, 2001
posts: 1277
votes: 17


Wow... Free certificates are nothing new but their FAQ claims that their certificates are trusted by everything but Windows XP! If that's true this is a huge step forward.
9:59 pm on Dec 5, 2015 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:Mar 10, 2004
posts:462
votes: 50


Sounds like a good step forward. I'll take open source security over closed any day. Open source can be independently audited by many parties, and my level of trust that it wouldn't have government back doors is higher.
1:25 am on Dec 6, 2015 (gmt 0)

Junior Member from CA 

joined:Dec 1, 2015
posts:41
votes: 8


Is there any downside to this or should we all stop using those paid certificates?
1:46 am on Dec 6, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 4, 2001
posts: 1277
votes: 17


In terms of session security there is essentially no difference. There are differences in how some of the more expensive certs verify domain ownership and there is insurance that comes with some of them.

The only real downside to free certificates is browser trust. None of the free certs are trusted by all major browsers which makes them useless for public applications.

If these certificates are indeed trusted then I see no reason for most websites to continue using paid certificates.
9:23 pm on Dec 6, 2015 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2233
votes: 142


Why do I cynically think that all these "free" certificates will have a limited "used by" life?

In the not too distant future - when all those thousands of new users have come on board:

"Oh your certificate is soon due for renewal, unfortunately rising costs have now forced us to impose a "renewal fee" of $XXXXX"

Nah! I'm just a cynic.
9:32 pm on Dec 6, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 4, 2001
posts: 1277
votes: 17


Yep you are :-) Renewing a certificate is the same process as replacing it with a different one so it's not as if a user is locked in to a specific provider.
11:38 pm on Dec 6, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts: 4319
votes: 42


XP is still a big install base. I read XP is almost 17% of all computers.
1:52 am on Dec 7, 2015 (gmt 0)

Junior Member

joined:Jan 13, 2014
posts:115
votes: 23


Good way to get them to upgrade though.
12:09 pm on Dec 7, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Sept 21, 1999
posts:38200
votes: 96


I often wonder if https push is all about advertising. Remember when some ad firms (like Google) were getting some of their AdSense ads poached/replaced by ISP's a few years ago? Suddenly Google and a bunch of other ad firms got the religion on https (which makes it very difficult for time warner/comcast and the usual suspects to tamper with Google searches between Google and the end user.
12:33 pm on Dec 7, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts: 2874
votes: 161


XP is down to below 8% and falling: [gs.statcounter.com...] and unsupported on XP usually means unsupported by IE on XP. Anyone still using IE on XP must have a thoroughly cracked system.

I am happy to try Lets Encrypt at this stage: next time I need SSL for a non-critical site I will try it.

@Brett, it probably is, but its still a good thing.
12:35 pm on Dec 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 10, 2001
posts:1551
votes: 10


Remember when some ad firms (like Google) were getting some of their AdSense ads poached/replaced by ISP's a few years ago?
I don't really care about Google's motivation here, as long as it means that the delivered content can't be tampered with, and the visitors are harder to track for third parties.

Now if all that was a bit easier to implement it on a shared hosting plan...
5:24 pm on Dec 11, 2015 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


While free SSL, assuming it's trustworthy, is a good thing so we can completely secure the web, there's also a dark side to this that I don't think anyone was anticipating. I fear the hackers, phishers, spammers and other vermin will find something bad to do with these free certs that will blow our minds. Previously SSL had to be verified so anyone needing an SSL connection on the down low had to hack an SSL site, assuming they could find a way in, and then use a folder on that site to do their dirty deeds, like a secure man-in-the-middle attack, phishing schemes, etc. Now they can just set up SSL shop on any abandoned domain they've infiltrated and have a field day.

Imagine what would happen if some nefarious person infiltrated a domain park and had full access to literally tens of thousands, if not millions, of domains and could make them all secure as well?

I don't even want to think about it.

How hard is it for any jerk to set up SSL on any domain you might ask?
To kick off the process, the agent asks the Letís Encrypt CA what it needs to do in order to prove that it controls example.com. The Letís Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

Provisioning a DNS record under example.com, or
Provisioning an HTTP resource under a well-known URI on https://example.com/

[letsencrypt.org...]

Requiring the DNS record is good, that would stop most hackers unless they had access to your registrar account as well this is usually not the case. However, the HTTP resource can be easily created once you have access to the server so VOILA! let the good times roll.

Hopefully I'm wrong and this won't make life easier for the bad guys but my gut tells me they've already figured out new scams using this free SSL service and it's going to be a wild trip now that the only thing stopping them from looking legit, a paid for validated SSL cert, is no longer trustworthy.

Nicely done.

Not.
5:46 pm on Dec 11, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 4, 2001
posts: 1277
votes: 17


Scammers will no doubt use it. But it should be noted that many paid certs use the same verification.
7:40 pm on Jan 1, 2016 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


Well what I said was going to come true already has in part, this was that when Google told everyone to start switching to HTTP that they would start ranking HTTPS over all others. Back when HTTPS was more of a signal of quality and security, that was a good thing as it could easily weed out all the non HTTPS crap out there.

Now that we have these free SSL certs the HTTPS signal is 100% meaningless.

1 step forward, 2 steps back.
6:26 am on Jan 2, 2016 (gmt 0)

Senior Member from AU 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 22, 2003
posts: 2233
votes: 142


Amen
11:43 pm on Jan 6, 2016 (gmt 0)

Full Member

5+ Year Member

joined:Apr 26, 2012
posts:328
votes: 8


Having an SSL certificate is not going to stop someone from hacking your server/guessing your password and putting in nefarious content on your pages. It's mostly to stop man-in-the-middle attacks/ad insertions and anyone who might be sniffing in on the connection between computer and website server.

As for a ranking boost, AFAIK it was only ever a minor factor and mostly good under a "when all else is equal" decision.
2:01 am on Jan 10, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15136
votes: 167


I don't really care about the ranking aspect. Having all sites move toward an encrypted standard will cut out a lot of signals that can be picked up over the ether. I wouldn't write off the benefits of thwarting ad/malware/content insertion so lightly.

You still need a paid cert to achieve the desired green lock on most browsers, so there are still levels of certification that will show enhanced quality if that's an issue for the SEs.