While HTTPS is being burned into the architecture of the Web, I have a humble question to ask: what is the dear HN community's next-best-option in a scenario if letsencrypt dies/gets sued/goes under/servers not accessible anymore?
I ponder on this question seeing how Google is planning to increasingly depreciate HTTP. While in general, I welcome the security upgrade, the lack of next-best-free-options makes me vary of this config change locking us into a $$$paid-only web publishing system.
My automation tools are slowly migrating towards a proper PKI set up that supports ACME, self signed certs and external certs (vendor signed certs from anywhere).
Basically if LE goes down, all I have to do is make 1 line of YAML changes, run an Ansible script and my servers are secured by a different provider's certificate.
Free is certainly nice, and I'd probably go back to self-signed for a few private subdomains, but you can get a paid cert for under $3/year. The only people really screwed would be those running a non-profit project that used many (sub)domains.
With Lets's Encrypt, consensus hopefully strengthens that the cert system is not a good situation. This may eventually web browsers to support TLS PKI methods other than X.509.
Precisely the problem. Real companies mostly prefer to use paid solutions because they have comfort and confidence in knowing there is a business and backing behind it. At least I know I do. I never got the whole developer complex wanting and even expecting everything for free. Seems hypocritical and counter-entrepreneur.
Also for what's worth, I've been deploying Let's Encrypt into production recently using Caddy and (on-demand) TLS and while it works, the rate limits being reset weekly is really scary and VERY VERY easy to hit. I know myself and my clients would be willing to pay for Let's Encrypt Pro (higher rate limits, etc). Take our money.
I am a little worried about the monoculture LE is creating.
I don't have any bright and practical ideas to fix that, however. Short of some other consortium making an equivalent, but with different tech underneath.
Am I the only one who thinks the way we deal with certificates is just completely backwards? Why should there even be a CA at all for DV certs? We already have to trust the registrar as ultimately they can get whatever DV certs they want so why not just limit our trust to them instead of adding hundreds of additional organizations that can compromise our security? And we pay them for the privilege of doing this??
I get CAs for EV and OV certs, of course you need an additional trusted party there, but the vast majority of websites out there do not use EV or OV certs and to be fair users by and large don't even notice the difference between a DV and an EV certificate in the first place.
We already have DNS, we already trust DNS to issue certificates to people, why don't we just cut out the middle man since they serve no additional purpose?
Effectively, you’d serve a self-signed certificate, then use DNSSEC to state that the origin can use the self-signed cert. Then clients can use that without showing warnings.
However, it does rely on DNSSEC not being a total failure, so not likely to end up in widespread use anytime soon unfortunately.
Also, given the more recent growth of alternative solutions to the problems DANE solves, like Let’s Encrypt and CAA DNS records, I’m not sure we’re likely to see much more work being done on it sadly.
> but the vast majority of websites out there do not use EV or OV certs and to be fair users by and large don't even notice the difference between a DV and an EV certificate in the first place.
You could also say the same for HTTP vs HTTPS (except HTTPS being considerably slower on unreliable networks).
So what's the value add in forcing everyone (even those who don't want to and have no need) to use HTTPS?
I've been using LE from the start and it's been awesome (especially with clients like acme-tiny), but wildcards changes everything.
How many of you are really going to set up a custom DNS updating script?
Maybe I misread something but I remember hearing wildcard certs will only work with DNS based challenges.
Wouldn't that mean the verification tool would need to support every single registrar's / DNS provider's API?
For example, I host my domains (and DNS) with namesilo.com. Is a challenge script really going to know how to interface with their API to add / remove the TXT records?
pfSense has a dynamic DNS updater built in with support for a huge number of services - https://doc.pfsense.org/index.php/Dynamic_DNS . There's also an ACME client and HAProxy packages and a built in CA and cert handler.
Does your ACME client already support ACMEv2 and wildcards? I think only acme.sh has so far claimed to (happy to be corrected if another client has finished its implementation).
> We're working hard on it, but will probably not land this in production before the end of February. Still, we are very much aware of the upcoming deadline and committed to meeting it. Thanks for the enthusiasm everyone! :-)
[+] [-] sdrinf|8 years ago|reply
I ponder on this question seeing how Google is planning to increasingly depreciate HTTP. While in general, I welcome the security upgrade, the lack of next-best-free-options makes me vary of this config change locking us into a $$$paid-only web publishing system.
[+] [-] kemitche|8 years ago|reply
[+] [-] nickjj|8 years ago|reply
I first saw this strategy used in the DebOps project's PKI Ansible role at https://docs.debops.org/en/latest/ansible/roles/debops.pki/.
Basically if LE goes down, all I have to do is make 1 line of YAML changes, run an Ansible script and my servers are secured by a different provider's certificate.
[+] [-] icebraining|8 years ago|reply
[+] [-] fulafel|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] ocdtrekkie|8 years ago|reply
[+] [-] nodesocket|8 years ago|reply
Also for what's worth, I've been deploying Let's Encrypt into production recently using Caddy and (on-demand) TLS and while it works, the rate limits being reset weekly is really scary and VERY VERY easy to hit. I know myself and my clients would be willing to pay for Let's Encrypt Pro (higher rate limits, etc). Take our money.
[+] [-] tyingq|8 years ago|reply
I don't have any bright and practical ideas to fix that, however. Short of some other consortium making an equivalent, but with different tech underneath.
[+] [-] liveoneggs|8 years ago|reply
[+] [-] MertsA|8 years ago|reply
I get CAs for EV and OV certs, of course you need an additional trusted party there, but the vast majority of websites out there do not use EV or OV certs and to be fair users by and large don't even notice the difference between a DV and an EV certificate in the first place.
We already have DNS, we already trust DNS to issue certificates to people, why don't we just cut out the middle man since they serve no additional purpose?
[+] [-] BillinghamJ|8 years ago|reply
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...
Effectively, you’d serve a self-signed certificate, then use DNSSEC to state that the origin can use the self-signed cert. Then clients can use that without showing warnings.
However, it does rely on DNSSEC not being a total failure, so not likely to end up in widespread use anytime soon unfortunately.
Also, given the more recent growth of alternative solutions to the problems DANE solves, like Let’s Encrypt and CAA DNS records, I’m not sure we’re likely to see much more work being done on it sadly.
[+] [-] technion|8 years ago|reply
I have control of the DNS on my network, and at the local coffee shop. I can use that to attack users, but I cannot use that to obtain a certificate.
I still agree with you in a sense, an alternate solution would be great. But we that middleman is the best we have right now.
[+] [-] ams6110|8 years ago|reply
No. https://www.tedunangst.com/flak/post/moving-to-https
[+] [-] josteink|8 years ago|reply
You could also say the same for HTTP vs HTTPS (except HTTPS being considerably slower on unreliable networks).
So what's the value add in forcing everyone (even those who don't want to and have no need) to use HTTPS?
[+] [-] nickjj|8 years ago|reply
How many of you are really going to set up a custom DNS updating script?
Maybe I misread something but I remember hearing wildcard certs will only work with DNS based challenges.
Wouldn't that mean the verification tool would need to support every single registrar's / DNS provider's API?
For example, I host my domains (and DNS) with namesilo.com. Is a challenge script really going to know how to interface with their API to add / remove the TXT records?
What about the 50 other popular DNS providers?
[+] [-] piracykills|8 years ago|reply
Check out acme.sh and remember, changing your DNS provider or hosting it yourself really isn't that bad.
https://github.com/Neilpang/acme.sh
[+] [-] gerdesj|8 years ago|reply
Its all open source, so grab their scripts ...
[+] [-] yrro|8 years ago|reply
[+] [-] berbec|8 years ago|reply
[+] [-] schoen|8 years ago|reply
[+] [-] mustardo|8 years ago|reply
[+] [-] technion|8 years ago|reply
Embed SCT receipts in certificates
Is also delayed? I think this has been quite underrated.
[+] [-] discreditable|8 years ago|reply
Most recent comment:
> We're working hard on it, but will probably not land this in production before the end of February. Still, we are very much aware of the upcoming deadline and committed to meeting it. Thanks for the enthusiasm everyone! :-)
[+] [-] unknown|8 years ago|reply
[deleted]