Let's Encrypt Launch Schedule (opens in new tab)

(letsencrypt.org)

233 pointsjoshmoz11y ago66 comments

66 comments

44 comments · 9 top-level

jglauche11y ago· 10 in thread

Damnit, my existing cert expires September 12. Any free alternatives to that?

snowpanda11y ago

Comodo has a 90 day free SSL trial that should get you through that window.

https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-...

vtlynch11y ago

RapidSSL also offers a free 30-day certificate: https://www.freessl.com/

teraflop11y ago

https://www.startssl.com/ provides free domain-validated certificates.

Karunamon11y ago

Please don't use startssl. Revocation costs money, and the company's behavior surrounding heartbleed was at the very least very unethical.

3 more replies

yellowapple11y ago

On top of the revocation issues, StartSSL is only free for personal use; if you intend to obtain a cert for a small business or some other non-personal purpose, they won't give you the cert. I also recall StartSSL being incredibly difficult for those who only have a P.O. box for a mailing address (as was the case for me; my apartment didn't have a mailbox, so I had to receive all mail at a P.O. box, which StartSSL didn't like).

mey11y ago

The issue is you have to pay for revocation.

robertfw11y ago

Be aware that the free cert does not support certificate transparancy. This will lead some browsers - notably chrome but I imagine there are/will be others - to give a user warning about SSL integrity. There are supposedly some workarounds [1] but no official support.

[1] http://korusdipl.egloos.com/6152770

1 more reply

rmoriz11y ago

https://buy.wosign.com/free/

(Root in Windows, Cross-Signed by StartSSL for others)

elahd11y ago

Namecheap sells basic Comodo certs for $9.00/yr.

PaulBurke11y ago

If you worried much about expiration of your free SSL certificate, I advise you to invest some $ on domain validated SSL certificate.

Advantages 1. No Expiration for 3 Years 2. 256-bit strong encryption with 2048-bit SSL certificate 3. Domain validation by trusted Root certificate authority. 4. Lowest price SSL

Get Comodo PositiveSSL Certificate at only $4.99/year from CheapSSLSecurity and make your self free from SSL Expiration.

Visit here for mode details - https://cheapsslsecurity.com/comodo/positivessl.html.

masida11y ago· 8 in thread

Very nice initiative.

But for me the biggest problem with adoption of SSL is still that every domain name needs it's unique IPv4 address, and all problems that come with that, not registering or paying for the SSL certificate.

At work, I usually use virtual hosting for about 100 domains on one IP address. I don't see us buying an IPv4 address per domain and adding them to my NIC configuration one by one. Once we can safely ignore IPv4 and use IPv6 only it will probably become easier and cheaper.

adisbladis11y ago

SNI has been a thing for a long while now.. Do you seriously need to support older browsers than this? https://en.wikipedia.org/wiki/Server_Name_Indication#Web_bro...

LinuxBender11y ago

SNI is fine for web browsing, but for end-points that need to be reachable by older versions of python, tomcat, ruby and many proprietary apps, this will not suffice. This becomes a problem on business to business communications, automation, API's, etc. For the general purpose websites, blogs, etc, SNI would be fine.

1 more reply

JoshTriplett11y ago

> But for me the biggest problem with adoption of SSL is still that every domain name needs it's unique IPv4 address, and all problems that come with that, not registering or paying for the SSL certificate.

Only if you care about IE on Windows XP (which is no longer supported and no longer gets security updates) or Android phones more than 4 years old (2.3 Gingerbread and older). SNI works fine on other devices.

Have you measured? Do you have numbers for how many users you have running one of those two environments?

warp11y ago

New phones are still being sold with Android 2.3 here [1] in Ecuador (which is ridiculous), so for some markets you do need to verify what your target audience uses before making assumptions like that.

[1] http://www.movistar.com.ec/tienda/Marcas/Huawei/Huawei-Y210/...

2 more replies

hathawsh11y ago

Use SNI, Server Name Indication: https://en.wikipedia.org/wiki/Server_Name_Indication

All modern browsers support it, as do Nginx and Apache.

masida11y ago

Thanks for the info, eirst time I hear about this. I'll look it up. I'm honestly a bit ashamed I haven't heard about this before.

vtlynch11y ago

With many platforms you can also use a Multi-Domain certificate to use one Certificate with one IP. Let's Encrypt will support Multi-Domain certificates.

masida11y ago

OK, that's very nice.

EGreg11y ago· 6 in thread

Can someone summarize why this is better than, say, StartSSL or AlphaSSL?

aroch11y ago

No predatory pricing (StartSSL has $25 revocations), free (AlphaSSL) and user-friendly (StartSSL is a UX nightmare). PositiveSSL is probably the cheapest, well supported cert (certs can be had for $3-4/y).

cyann11y ago

Looks like the free offer from AlphaSSL is no more:

https://www.alphassl.com/ssl-certificates/free-ssl-certifica...

1 more reply

yellowapple11y ago

Are you sure about that $3-4 price point? The cheapest I'm seeing on their site is $49/yr.

2 more replies

StavrosK11y ago

Because it includes a script you can just run and will take care of everything for you, and you'll have properly TLS-configured web servers with valid certificates and reissues with a single command.

dingaling11y ago

No sane system administrator is going to run a root-privilege program to reconfigure his web server and set-up SSL:

The Let’s Encrypt client is essentially an operating system component. Generically, it requires root privileges to bind to port 443 and (if requested) to reconfigure your webserver for certificate installation and renewal

That also seems like a perfect compromise vector for bad actors to modify the client software.

The Let's Encrypt effort is noble and definitely required but I think they would have been better-focused and quicker to market had they concentrated on establishing themselves as a CA first and leaving the 'auto-configuration magic' to a later stage, for the small subset of users who want that.

1 more reply

clinta11y ago

Automatic enrollment and renewal means that it's not a maintenance burden to have certificates that are valid for weeks rather than years. Short lived certificates reduce the cost of a certificate compromise and increase the security of the internet as a whole.

diafygi11y ago· 4 in thread

I'm suuuper excited for this to launch! However, it's worrisome that the ACME protocol (what Let's Encrypt uses) still has a ton of bugs open[1] and they are still changing the protocol often. Just search for "TODO" on the spec markdown[2].

I want this project to proceed, but they should really focus on getting a much more mature and stable spec before launch. This isn't WebRTC, where you can just continuously tack on additional stuff or change the API constantly. It's TLS certs. The certs issued using this API end up telling people it's safe to input their passwords or credit card numbers.

I really hope the ACME spec gets stable before the launch in July.

[1]: https://github.com/letsencrypt/acme-spec/issues

[2]: https://github.com/letsencrypt/acme-spec/blob/master/draft-b...

cbhl11y ago

> The certs issued using this API end up telling people it's safe to input their passwords or credit card numbers.

I'm pretty sure they shouldn't tell users it's safe to type in credit card numbers -- these certs are "domain validation" (DV).

The certs that generate a green chip in the address bar are "extended validation" (EV) certs that typically cost hundreds and require a human to manually verify things.

captn3m011y ago

EV certificates are no different from normal SSL certs. They offer no extra security. References:

[1]: http://security.stackexchange.com/a/15871

[2]: https://www.blackhat.com/presentations/bh-usa-09/SOTIROV/BHU...

There is an interesting HN discussion on the topic at https://news.ycombinator.com/item?id=8344238

diafygi11y ago

It's taken me years, but I've finally trained my Mom to "look for the lock" whenever she has to type her password or credit card in anywhere. I consider that a win. Trying to get her to understand more than "lock=safe, no lock=unsafe" is incredibly difficult that will take many more years. Like it or not, since DV has a lock, that's what the standard is for what's safe to people who don't understand there's multiple levels of security in computers.

vtlynch11y ago

Validation has nothing to do with the security of the certificate. There is nothing preventing you from using a DV, OV, or EV certificate to transmit any type of data you want.

1 more reply

worklogin11y ago· 3 in thread

Do Chrome and Mozilla have Let's Encrypt in their Root stores? I don't see them.

vtlynch11y ago

No. The Let's Encrypt root was recently created and will be submitted to root inclusion programs. It will probably be quite a while until its suitable to issue certs solely from the Let's Encrypt Root.

For now, the certs are cross signed by "DST Root CA X3" operated by Identrust. This root has very strong inclusion.

For specifics, please see: https://groups.google.com/a/letsencrypt.org/forum/#!msg/clie...

worklogin11y ago

Dangit, I didn't read the second paragraph. For GA, they will have the cross-sign. It's just for the EA that they don't.

echeese11y ago

They're cross-signed by DST Root CA X3 which is in the list.

jtchang11y ago· 2 in thread

I am really excited about this whole initiative. Mostly because encryption should really be standard at this point if not for the hurdles one has to face in deploying it.

What type of help is the Let's Encrypt team still needing?

joshmozOP11y ago

Glad you like the project!

Contributing to our software is one way to help:

https://github.com/letsencrypt/boulder

https://github.com/letsencrypt/lets-encrypt-preview

Also, if you work for a company that might be interested in sponsoring us, starting that conversation is another great way to help out.

diafygi11y ago

What are the tiers for corporate sponsors?

1 more reply

general_failure11y ago· 2 in thread

can someone clarify if revokation is free with letsencrypt?

Also, who pays for all this infrastructure? Mozilla?

bracewel11y ago

All the services provided by Let's Encrypt will be completely free, including revocation.

vtlynch11y ago

Not sure about revocation.

Sponsorship is provided by multiple companies, including Mozilla. See https://letsencrypt.org/sponsors/ and https://letsencrypt.org/2015/04/09/isrg-lf-collaboration.htm... for more.

qrmn11y ago

I gather they're not launching with ECDSA certificates (and obviously not with EdDSA or whatever comes out of CFRG, because that's still being discussed by the IETF/IRTF), but they're going to add it later. Any idea when?

What's the hold up; HSMs that'll do secp256r1?

Because of the huge performance improvement ECDSA brings over RSA, I know I'm not going to be deploying Let's Encrypt certs until I can get ECDSA ones (as well as RSA ones, presumably).

tokenizerrr11y ago

Very glad to hear there is a launch schedule, have been curious about how this project has been progressing. It's a fantastic intiative and I almost can't wait until September 14.

j / k navigate · click thread line to collapse

66 comments

44 comments · 9 top-level

jglauche11y ago· 10 in thread

Damnit, my existing cert expires September 12. Any free alternatives to that?

snowpanda11y ago

Comodo has a 90 day free SSL trial that should get you through that window.

https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-...

vtlynch11y ago

RapidSSL also offers a free 30-day certificate: https://www.freessl.com/

teraflop11y ago

https://www.startssl.com/ provides free domain-validated certificates.

Karunamon11y ago

Please don't use startssl. Revocation costs money, and the company's behavior surrounding heartbleed was at the very least very unethical.

3 more replies

yellowapple11y ago

mey11y ago

The issue is you have to pay for revocation.

robertfw11y ago

[1] http://korusdipl.egloos.com/6152770

1 more reply

rmoriz11y ago

https://buy.wosign.com/free/

(Root in Windows, Cross-Signed by StartSSL for others)

elahd11y ago

Namecheap sells basic Comodo certs for $9.00/yr.

PaulBurke11y ago

If you worried much about expiration of your free SSL certificate, I advise you to invest some $ on domain validated SSL certificate.

Advantages 1. No Expiration for 3 Years 2. 256-bit strong encryption with 2048-bit SSL certificate 3. Domain validation by trusted Root certificate authority. 4. Lowest price SSL

Get Comodo PositiveSSL Certificate at only $4.99/year from CheapSSLSecurity and make your self free from SSL Expiration.

Visit here for mode details - https://cheapsslsecurity.com/comodo/positivessl.html.

masida11y ago· 8 in thread

Very nice initiative.

adisbladis11y ago

SNI has been a thing for a long while now.. Do you seriously need to support older browsers than this? https://en.wikipedia.org/wiki/Server_Name_Indication#Web_bro...

LinuxBender11y ago

1 more reply

JoshTriplett11y ago

Have you measured? Do you have numbers for how many users you have running one of those two environments?

warp11y ago

[1] http://www.movistar.com.ec/tienda/Marcas/Huawei/Huawei-Y210/...

2 more replies

hathawsh11y ago

Use SNI, Server Name Indication: https://en.wikipedia.org/wiki/Server_Name_Indication

All modern browsers support it, as do Nginx and Apache.

masida11y ago

Thanks for the info, eirst time I hear about this. I'll look it up. I'm honestly a bit ashamed I haven't heard about this before.

vtlynch11y ago

With many platforms you can also use a Multi-Domain certificate to use one Certificate with one IP. Let's Encrypt will support Multi-Domain certificates.

masida11y ago

OK, that's very nice.

EGreg11y ago· 6 in thread

Can someone summarize why this is better than, say, StartSSL or AlphaSSL?

aroch11y ago

cyann11y ago

Looks like the free offer from AlphaSSL is no more:

https://www.alphassl.com/ssl-certificates/free-ssl-certifica...

1 more reply

yellowapple11y ago

Are you sure about that $3-4 price point? The cheapest I'm seeing on their site is $49/yr.

2 more replies

StavrosK11y ago

Because it includes a script you can just run and will take care of everything for you, and you'll have properly TLS-configured web servers with valid certificates and reissues with a single command.

dingaling11y ago

No sane system administrator is going to run a root-privilege program to reconfigure his web server and set-up SSL:

That also seems like a perfect compromise vector for bad actors to modify the client software.

1 more reply

clinta11y ago

diafygi11y ago· 4 in thread

I really hope the ACME spec gets stable before the launch in July.

[1]: https://github.com/letsencrypt/acme-spec/issues

[2]: https://github.com/letsencrypt/acme-spec/blob/master/draft-b...

cbhl11y ago

> The certs issued using this API end up telling people it's safe to input their passwords or credit card numbers.

I'm pretty sure they shouldn't tell users it's safe to type in credit card numbers -- these certs are "domain validation" (DV).

The certs that generate a green chip in the address bar are "extended validation" (EV) certs that typically cost hundreds and require a human to manually verify things.

captn3m011y ago

EV certificates are no different from normal SSL certs. They offer no extra security. References:

[1]: http://security.stackexchange.com/a/15871

[2]: https://www.blackhat.com/presentations/bh-usa-09/SOTIROV/BHU...

There is an interesting HN discussion on the topic at https://news.ycombinator.com/item?id=8344238

diafygi11y ago

vtlynch11y ago

Validation has nothing to do with the security of the certificate. There is nothing preventing you from using a DV, OV, or EV certificate to transmit any type of data you want.

1 more reply

worklogin11y ago· 3 in thread

Do Chrome and Mozilla have Let's Encrypt in their Root stores? I don't see them.

vtlynch11y ago

For now, the certs are cross signed by "DST Root CA X3" operated by Identrust. This root has very strong inclusion.

For specifics, please see: https://groups.google.com/a/letsencrypt.org/forum/#!msg/clie...

worklogin11y ago

Dangit, I didn't read the second paragraph. For GA, they will have the cross-sign. It's just for the EA that they don't.

echeese11y ago

They're cross-signed by DST Root CA X3 which is in the list.

jtchang11y ago· 2 in thread

I am really excited about this whole initiative. Mostly because encryption should really be standard at this point if not for the hurdles one has to face in deploying it.

What type of help is the Let's Encrypt team still needing?

joshmozOP11y ago

Glad you like the project!

Contributing to our software is one way to help:

https://github.com/letsencrypt/boulder

https://github.com/letsencrypt/lets-encrypt-preview

Also, if you work for a company that might be interested in sponsoring us, starting that conversation is another great way to help out.

diafygi11y ago

What are the tiers for corporate sponsors?

1 more reply

general_failure11y ago· 2 in thread

can someone clarify if revokation is free with letsencrypt?

Also, who pays for all this infrastructure? Mozilla?

bracewel11y ago

All the services provided by Let's Encrypt will be completely free, including revocation.

vtlynch11y ago

Not sure about revocation.

Sponsorship is provided by multiple companies, including Mozilla. See https://letsencrypt.org/sponsors/ and https://letsencrypt.org/2015/04/09/isrg-lf-collaboration.htm... for more.

qrmn11y ago

What's the hold up; HSMs that'll do secp256r1?

Because of the huge performance improvement ECDSA brings over RSA, I know I'm not going to be deploying Let's Encrypt certs until I can get ECDSA ones (as well as RSA ones, presumably).

tokenizerrr11y ago

Very glad to hear there is a launch schedule, have been curious about how this project has been progressing. It's a fantastic intiative and I almost can't wait until September 14.

j / k navigate · click thread line to collapse