Let’s Encrypt Receives the Levchin Prize for Real-World Cryptography (opens in new tab)

(letsencrypt.org)

238 pointsdeaddabe4y ago35 comments

35 comments

28 comments · 7 top-level

"Let’s Encrypt is currently used by more than 280 million websites, issuing between two and three million certificates per day. I often think about how we got here, looking for some nugget of wisdom that might be useful to others."

I guess it's keep trying. Keep patiently explaining, educating and building.

I remember people saying "You'll never be able to topple the certs racket" - and here we are... in a age where every day I read about how we'll 'never' be able to break the big-tech stranglehold and build a distributed network owned by the people, 'never' have privacy and real end-to-end encryption because 'nobody cares', 'never' have practical p2p digital currencies of our own, and where we'll never have open, verifiable hardware. Keep believing.

atoav4y ago

Let's Encrypt was the reason I moved 8 websites to self-hosted nginx servers, because my old hoster wanted 10 Euros a month (!) per SSL certificate, despite charging a lot for that slow apache webspace already.

Even ignoring the money moving away from there was worth it. There is so much more control over my software on my own instances. I can do actual backups for free. Of course it is more work and needs more attention, but not a lot more

armchairhacker4y ago

What alternatives are there to get cheap easy SSL certificates?

Let's Encrypt has no competition because Let's Encrypt needs no competition: it works, it's cheap, and competitors can't really provide any advantages for its target audience (mostly people who just want a cert).

mcpherrinm4y ago

The major cloud providers have options for free certs: Amazon and Google run CAs, and Azure has an option for free certs from Digicert. Amazon and Azure both work with their services. Google just announced they’re supporting the same ACME protocol that Lets Encrypt uses too!

It is somewhat important for Let’s Encrypt to have competition: For reliability it is good to have alternatives with no shared infrastructure. If Let’s Encrypt ever becomes untrustworthy (and as a LE employee, I hope that never happens!) there must be alternatives so the root programs have the option to remove the Let’s Encrypt root. And there’s many geopolitical concerns too.

randomhodler844y ago

It’s not even a competition. Every customer increases costs to provide the service. More people handling the load of signing keys means less cost for a public service. It’s a shared ecosystem of trust. Yes, you can make the argument that too many CAs is untrustworthy, I would agree. But there is a reliability and availability argument, both security objectives, to having alternatives. There is probably an optimal point between redundancy and too many cooks.

macksd4y ago

ZeroSSL appears to have the advantage of fewer rate limitations if that's an issue. Haven't used it a ton myself though.

jjav4y ago

> Let's Encrypt has no competition because Let's Encrypt needs no competition

I love Let's Encrypt! Truly good work for the benefit of humanity.

Still. Everything needs competition. Any single organization amassing too much influence is always a bad thing, no matter how benevolent the organization.

rvnx4y ago

Some people care in the intelligence community ;) It's better to have LetsEncrypt and CloudFlare in the loop to protect national interests and fight against maliciouses actors.

nonrandomstring4y ago

I'm really pleased to see someone else framing this as a national security issue. It's a point of view rarely heard.

bombcar4y ago· 5 in thread

The main thing I'm thankful for Let's Encrypt for is breaking the idea that an SSL-secured website is somehow magically less likely to be phishing or even anything but claiming it's the data from the domain you connected to, without changes.

Mainly this was propagated by EV cert sellers, but it was all kinda silly.

tialaramex4y ago

Let's Encrypt's own community forums get posts every day from people saying, wait, I got scammed/ phished/ whatever on this site, it has your certificate, shouldn't you shut it down? They do have a page to link those enquiries to, explaining the policy (and indeed they even have standard legal briefs because periodically lawyers get the same idea and a court has to be told why that's wrong).

It would be interesting to know if, say, US citizens write to the Department of State saying hey, revoke this guy's passport, I heard he ripped off somebody on Craig's List...

profmonocle4y ago

It's frustrating because certificate revocation doesn't even really work, since most browsers don't check for it due to the various performance/privacy issues it causes. (OCSP stapling doesn't help here, because a scammer just won't use it.)

At best Let's Encrypt could revoke the cert and block them from getting a new one, but then the scam site is still good to go for 90 days. I doubt most phishing sites even last that long.

What does work, and relatively quickly, is having the web host shut down the site (basically instant), having the registrar revoke the domain (takes effect as soon as DNS caches start expiring) or adding it to the various phishing site lists used by browsers. (Not sure how often those update, I assume at least daily.)

I hope that the misguided people asking LE to shut down the domain are at least trying to contact the web host, registrar, and the safe browsing list people before hassling the (mostly volunteer) folks on the LE forums.

profmonocle4y ago

> Mainly this was propagated by EV cert sellers, but it was all kinda silly.

I feel like it really started back in early(ish) days of online shopping. I remember "never enter your credit card details without looking for the lock icon" being drilled into people.

EV certs definitely took this idea farther, especially as domain-validated certs became more common & cheaper.

lukeschlather4y ago

That idea is unfortunately alive and well. Many organizations require it, much like they require 90-day password rotation and other questionable security standards.

recursive4y ago

There are plenty of good reasons to require it. Proving a trustworthy counter-party for the request is just not one of them.

justhere4beer4y ago· 4 in thread

I applaud the Let's Encrypt founders, past and current team for solving the automation problem that's plagued the SSL/TLS industry.

The yang to that ying is a lack trust. I have zero trust in a site owner using LE certs. Domain vetting only means control of the domain ... everything inside that beautifully encrypted traffic can be insightful, helpful or script kiddies scamming the vulnerable. If one finds the scam, LE shrugs, "not our problem bruh. We just issue certs to those who control the domain."

They single handedly reduced the price of entry for douchebag asshats ability to pretend someone they are not and harm a non-technical populace.

Two steps forward, one step backward.

devrand4y ago

What you're expressing was the mistake of overloading the meaning of a certificate and incorrectly teaching people that the lock meant trusted.

None of this was the fault of Let's Encrypt. They just exposed the mistakes that were OV and EV certificates and incorrect education.

saghm4y ago

I think history proved fairly convincingly that people would still get scammed with the old system. Given that, I'll take encrypted traffic almost universally across the internet and scams still being a thing over mostly unencrypted traffic any day.

justhere4beer4y ago

I wish this statement to be true "... scams still being a thing over mostly unencrypted traffic any day." Sadly this falls in a similar category of domain validation.

I guess, take comfort where you can?

vurpo4y ago

TLS or SSL never meant that kind of safety in the first place. Even before LE, there was no guarantee that HTTPS means it's not a scam, and the PKI system has never been meant to guarantee that anyway! Let's Encrypt didn't change anything here, and they're doing exactly what they or any other CA is supposed to do.

tomc19854y ago· 3 in thread

So how the hell did Let's Encrypt convince the certificate cartel to let them in and undercut their products?

Nullabillity4y ago

They got cross-signed by IdenTrust, which as I understand it were/are primarily selling EV certificates to financial institutions (which Let's Encrypt doesn't really compete with), rather than DV certificates (like most CAs out there do, including LE).

These days they are trusted directly by most browsers and OSes as the sibling comments mention, but the IdenTrust cross-signature was vital for bootstrapping and is still used for some older systems.

thwayunion4y ago

They didn't. The convinced the browsers and operating systems.

vurpo4y ago

They didn't need to do that. They simply got their cert into browsers and OSes, and there you go.

randomhodler844y ago· 1 in thread

Lets encrypt is a true marvel that blessed the world with easy quick automatable webpki and identity. The world is exponentially more private and secure from their actions. One of the most critical public services in the world.

xvector4y ago

And it's all free, which is simply beautiful!

pupppet4y ago

God bless Let’s Encrypt. I used to tell my clients they need to cough up $100+/year for a cert and jump through a bunch of hoops to get it working. Now it’s built into the UI of many of the control panels I use and I simply click a button. The pre LE days were the dark ages.

achillean4y ago

Use of Lets Encrypt has grown steadily over the years:

https://trends.shodan.io/search?query=ssl%3A%22Let+s+Encrypt...

Its use is also growing in mail servers so it's not limited to HTTPS:

https://trends.shodan.io/search?query=ssl%3A%22Let+s+Encrypt...

j / k navigate · click thread line to collapse

35 comments

28 comments · 7 top-level

nonrandomstring4y ago· 8 in thread

I guess it's keep trying. Keep patiently explaining, educating and building.

atoav4y ago

armchairhacker4y ago

What alternatives are there to get cheap easy SSL certificates?

mcpherrinm4y ago

randomhodler844y ago

macksd4y ago

ZeroSSL appears to have the advantage of fewer rate limitations if that's an issue. Haven't used it a ton myself though.

jjav4y ago

> Let's Encrypt has no competition because Let's Encrypt needs no competition

I love Let's Encrypt! Truly good work for the benefit of humanity.

Still. Everything needs competition. Any single organization amassing too much influence is always a bad thing, no matter how benevolent the organization.

rvnx4y ago

Some people care in the intelligence community ;) It's better to have LetsEncrypt and CloudFlare in the loop to protect national interests and fight against maliciouses actors.

nonrandomstring4y ago

I'm really pleased to see someone else framing this as a national security issue. It's a point of view rarely heard.

bombcar4y ago· 5 in thread

Mainly this was propagated by EV cert sellers, but it was all kinda silly.

tialaramex4y ago

It would be interesting to know if, say, US citizens write to the Department of State saying hey, revoke this guy's passport, I heard he ripped off somebody on Craig's List...

profmonocle4y ago

At best Let's Encrypt could revoke the cert and block them from getting a new one, but then the scam site is still good to go for 90 days. I doubt most phishing sites even last that long.

profmonocle4y ago

> Mainly this was propagated by EV cert sellers, but it was all kinda silly.

I feel like it really started back in early(ish) days of online shopping. I remember "never enter your credit card details without looking for the lock icon" being drilled into people.

EV certs definitely took this idea farther, especially as domain-validated certs became more common & cheaper.

lukeschlather4y ago

That idea is unfortunately alive and well. Many organizations require it, much like they require 90-day password rotation and other questionable security standards.

recursive4y ago

There are plenty of good reasons to require it. Proving a trustworthy counter-party for the request is just not one of them.

justhere4beer4y ago· 4 in thread

I applaud the Let's Encrypt founders, past and current team for solving the automation problem that's plagued the SSL/TLS industry.

They single handedly reduced the price of entry for douchebag asshats ability to pretend someone they are not and harm a non-technical populace.

Two steps forward, one step backward.

devrand4y ago

What you're expressing was the mistake of overloading the meaning of a certificate and incorrectly teaching people that the lock meant trusted.

None of this was the fault of Let's Encrypt. They just exposed the mistakes that were OV and EV certificates and incorrect education.

saghm4y ago

justhere4beer4y ago

I wish this statement to be true "... scams still being a thing over mostly unencrypted traffic any day." Sadly this falls in a similar category of domain validation.

I guess, take comfort where you can?

vurpo4y ago

tomc19854y ago· 3 in thread

So how the hell did Let's Encrypt convince the certificate cartel to let them in and undercut their products?

Nullabillity4y ago

These days they are trusted directly by most browsers and OSes as the sibling comments mention, but the IdenTrust cross-signature was vital for bootstrapping and is still used for some older systems.

thwayunion4y ago

They didn't. The convinced the browsers and operating systems.

vurpo4y ago

They didn't need to do that. They simply got their cert into browsers and OSes, and there you go.

randomhodler844y ago· 1 in thread

xvector4y ago

And it's all free, which is simply beautiful!

pupppet4y ago

achillean4y ago

Use of Lets Encrypt has grown steadily over the years:

https://trends.shodan.io/search?query=ssl%3A%22Let+s+Encrypt...

Its use is also growing in mail servers so it's not limited to HTTPS:

https://trends.shodan.io/search?query=ssl%3A%22Let+s+Encrypt...

j / k navigate · click thread line to collapse