Let's Encrypt was _huge_ in making it's absurd to not have TLS and now we (I, at least) take it for granted because it's just the baseline for any website I build. Incredible, free service that helped make the web a more secure place. What a wonderful service - thank you to the entire team.
The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point...
So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.
To be fair, for a CEO in 2022, EV certificates had only lost their special visualizations since September/October 2019 with Chrome 77 and Firefox 70 - and with all that would happen in the following months, one could be forgiven for not adapting to new browser best practices!
I once notified Porsche that one of their websites had an expired certificate, they fixed it within a couple of hours by using Let's Encrypt. It surprised me.
Let's Encrypt is to the internet what SSDs are to the PC. A level up.
I've seen people complain that Let's Encrypt is so easy that it's enabling the forced phaseout of long-lived certificates and unencrypted HTTP.
I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work.
I only hear justified praises of letsencrypt. Also thanks to the EFF and developers of certbot, which massively improved the toolchain around certificate deployment. Not the favorite activity for admins, but this made processes like certificate renewal/revokation much more convenient.
I think the portion of users that check a certificate after the browser treated it as secure is well smaller than 1%, probably well below 0.1%. And I guess these TLS connoisseurs have a positive inclination to letsencrypt as well.
There was a time when EV certificates were considered more trustworthy than DV certs. Browsers used to show an indication for EV certs.
Those days are long gone, and I'm not completely sure how I feel about it. I hated the EV renewal/rotation process, so definitely a win on the day-to-day scale, but I still feel like something was lost in the transition.
> The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers".
Spoken like a true dinosaur. How can a certificate based on open, public and proven secure protocols be cheap?
> So my question: has anyone actually commented to you in a negative way about using Let's Encrypt?
No, but I personally judge businesses which claim to be tech savvy if they don’t have an ACME issued certificate, because to me that instantly shows I’m not dealing with someone who has kept up with technology for the last 10 years.
I have also heard a negative about it being somehow "cheap" and we can "afford" a proper wildcard for our website from managers back in the day, like, few years ago. Never mind the hours wasted every year changing that certificate in every system out there and always forgetting a few.
Also a valid point from security people is that you leak your internal hostnames to certificate transparency lists once you get a cert for your "internal-service.example.com" and every bot in existence will know about it and try to poke it.
I solved these problems by just not working with people like that anymore and also getting a wildcard Let's Encrypt it certificate for every little service hosted - *.example.com and not thinking about something being on the list anymore.
There are extended certificates that did matter in our sales process for some hosted solutions back about 15 years ago if I recall right… no one has ever cared since…
Modern browsers are going out of their way to hide every bit of information about the website (including even the URL) — so I don't know how these customers would actually even find out what CA issued the certificate.
In Safari, I don't even know how to find that information anymore. When I want to check expiration dates for my own sites, I start Firefox.
They may have rendered absurd to not have TLS, but they also rendered certification absurd, in the sense that all you get is little more than encryption:
if you care about identity, then the free Let's Encrypt certificate coupled to a domain owner's email address gives you little guarantee.
Compare this to the extended validation certificates with personally certified credentials and browsers attesting these by, say, a green address bar (instead of today's flat padlock), that a bank customer expects before entering their login data.
Setting up an encrypted web-domain with continual Let's Encrypt certificate renewal has become tedious cargo-culting around the relicts of the idea of a certificate that establishes trust by identity verification.
The collapse of identity-based certification is not Let’s Encrypt’s fault.
People naturally choose the easiest option, and Let’s Encrypt supplied it.
Entrusting a handful of commercial certificate authorities with global identity is dubious on first principles anyway, but at least they tried;
yet, for all its flaws, that centralized system has proven more practical than the idealistic, decentralized "web of trust".
Many host providers (Those acquired by companies like Web.Com, allegedly) disable all ability to use outside certs since Google made encryption a requirement in Chrome Browser...
They do things like blocking containers & SSH to make installing free certs impossible.
They also have elevated the price of their own certs (that they can conveniently provide) to ridiculous prices in contrast to free certs their customers can't even use...
It would be a huge price-fixing scandal if Congress had any idea of how technology works.
I used to deal with a couple people who were against any automatic or free certs. It was part of their jobs to procure the annual certs, look them over, present them to the developers and maintain automatic checks to regularly inspect the certificates. This was partly how they justified their jobs, but they relished the ceremony and being able to tell developers what to do, even if only for a few minutes a year. They repeatedly blocked introduction of LetsEncrypt.
Just checked. They’re still using that manually installed cert!
The only pain point I had using letsencrypt, and it wasn 100% not their fault, was I tried using it to generate the certificate to use with FTPS authentication with a vendor. Since LE expires every 90 days and the vendor emails you every week when you’re 2 months from expiring, that became a pain point and it wasn’t easier to just by a 1 or 2 year cert from godaddy. Thank goodness that vendor moved to sftp with key authentication so none of that is needed anymore
has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.
One thing I heard recently which might be a valid point - that LE is based in US, which makes it a subject to US laws. Read from that what you will though.
Seconding the effect of Let's Encrypt on the world of TLS. I remember getting into web applications in the late 2000s and rolling my own certificates/CA and it was a huge, brittle pain. Now it's just another deployment checkbox thanks to LE.
> It coming from GoDaddy is not a selling point...
I just people who use GoDaddy. They were the one company supporting SOPA when the entire rest of the internet was opposed to SOPA. It's very obvious GoDaddy is run by "business-bros" and not hackers or tech bros.
> has anyone actually commented to you in a negative way about using Let's Encrypt?
A friend of mine has had a negative experience insofar as they are working for a small company, using maybe only 15–20 certs and one day they started getting hounded by Let's Encrypt multiple times on the email address they used for ACME registration.
Let's Encrcypt were chasing donations and were promptly told where to stick it with their unsolicited communications. Let's Encrypt also did zero research about who they were targetting, i.e. trying to get a small company to shell out $50k as a "donation".
My friend was of the opinion is that if you're going to charge, then charge, but don't offer it for free and then go looking for payment via the backdoor.
In a business environment getting a donation approved is almost always an entirely different process, involving completely different people in the company, than getting a product or service purchase approved. Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop.
It’s easy to forget how awful TLS was before Let’s Encrypt: you’d pay per-hostname, file tickets, manually validate domains, and then babysit a 1-year cert renewal calendar. Today it’s basically “install an ACME client once and forget it” and the web quietly shifted from <30% HTTPS to ~80% globally and ~95% in the US in a few years.
The impressive bit isn’t just the crypto, it’s that they attacked the operational problem: automation (ACME), good client ecosystem, and a nonprofit CA that’s fine with being invisible infrastructure. A boring, free cert became the default.
The next 10 years feel harder: shrinking lifetimes (45-day certs are coming) means “click to install cert” can’t exist anymore, and there’s still a huge long tail of internal dashboards, random appliances, and IoT gear that don’t have good automation hooks. We’ve solved “public websites on Linux boxes,” but not “everything else on the network.”
As a sysadmin in the 2007-2011 timeframe I literally used openssl to generate csrs, went to godaddy to purchase SSL certificates and then manually deployed them to servers. Man what a world of change. Let's encrypt is one the best services we've had on the internet. I wish we had more things like this.
It's been a long time so this is my fading memory, but CAs used to generate a private key on their end and let you download both private key and the certificate containing the public key. The non-technical person who paid big money for the certificate then emails the zip file to the developer. That's when StartTLS wasn't that big back then either.
As a sysadmin in 2020 - 2024 time frame I used to do that all the time at my previous job, got a strong openlssl cli game going whenever needed to generate a new csr for existing key or new key and shovel an exact amount of SANs into the CSR too. Lot of time wasted. There were also a certain set of customers for which we managed systems and they insisted for it to be done this way as something free on the internet is not to be trusted. Oh well, strange times.
Snowden was the other big reason that TLS became the de facto standard for every site.
Prior to that, the consensus was that you only really needed TLS if you were dealing with money and wasn't worth the hassle otherwise. You could sniff traffic from Facebook and Twitter easily.
I remember listening to a talk given by an IRS investigator in around 2008 about how they were able to do a sting and shutdown illegal internet casinos. They collected a good bulk of that evidence from clear-text packet captures of gambling sessions and messages. He preemptively answered the question of whether encryption was a hurdle, by saying no one used it.
Lets hope they stay independent and never get acquired by Google or any other large tech company. You can imagine a web where SSL issuance is used as a tool to censor websites. I think most browsers have been made to make standard http sites look malicious to normal users.
They're a nonprofit - so they can't be acquired like a typical for-profit company. They could in theory sell some assets but it'd be very convoluted if they were the core assets -- per US tax law, nonprofit assets must remain in the nonprofit world, so there's no risk of any tech company ruining them.
If Google wants to censor your website, they have a variety of other, more effective methods, like by adding it to their safe browsing blacklist, which is also used in many Firefox installs.
As someone else mentioned, it's a non-profit, so I guess it's not technically possible to get acquired.
But I personally believe that the people behind LetsEncrypt genuinely care about the mission and will never sell out for their personal benefit.
If there was a list of organizations that bring the most impactful things to tech per each dollar received in donations and per each employee, ISRG will be up there at the top.
I still remember the original announcement around LE and thought "Great idea, no idea if they'll be able to get buy-in from browsers/etc", now I use it on all my self-hosted sites and will probably be transitioning my employer over to it when we switch to automated renewal sometime next year.
LE has been an amazing resource and every time I setup a new website and get a LE cert I smile. Especially after having lived/experienced the pain that was SSL/TLS before LE.
We actually spent some time making sure that we weren't going to run into problems with browsers. However, as the OP points out, because LE had a cross-signature from an existing CA, browsers didn't have to any positive action to make LE certificates work. This was absolutely essential to getting things off the ground.
LetsEncrypt is on my end of year Donate list for the past 5 years. With all modern browsers requiring HTTPS everywhere, a world without Let's Encrypt would be really difficult for indie developers.
I am glad to be one of the users using that for around 7 years. I can't think of how much better is life of people just doing blogs or some silly websites with free https certs. Would I pay 50$ bucks a year for ability to self host nextcloud? Probably not. But security enhancement is so enormous with that service.
Thanks to everyone involved for making world a little bit better.
I am so grateful for this. Bummer that they stopped with the email reminder, anyways I was wondering how this would work without active payments. Still amazing.
LE has been really great, particularly in running hobby web sites on the public internet. Getting certbot up and running wasn't hard, automating renewal wasn't hard, and because they have DNS-based pathways to verification you can use LE certificates for sites not exposed to the public internet as well. Combine it with something like Caddy and getting SSL for an app becomes the default without ever having to manage certificates by hand.
I find it pretty amazing how far its come, and how big a change it has made to the internet in the decade it's been operating.
Seems longer than 10 years ago? But hey... Let's Encrypt absolutely changed the game... TLS and certificates were a huuuuuge PITA and expensive... we only used them when money was moving around online and they were slow most times. It was also a process to add one, update one, etc. I remember not trusting it at first because it was so easy lol.
THANK YOU Let's Encrypt... you made us all more sane, saved time, and secured us all up too. Firm handshakes.
only downside to LE is the attack surface presented by CTLs (Certificate Transparency Logs). as soon as you request a cert, you will get attacks on the endpoint/subdomain you have registered by countless IPs trying to login etc.
Thank you Let's Encrypt, together with the acme.sh , caddy and the whole ecosystem for TLS.
You simply cannot emphasize the information security enough if all your Internet traffic is audited, censored and manipulated by a number of adversaries supported by (authoritarian) governments and what not.
[+] [-] jjice|3 months ago|reply
The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point...
So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.
[+] [-] btown|3 months ago|reply
https://www.troyhunt.com/extended-validation-certificates-ar...
[+] [-] qwertox|3 months ago|reply
Let's Encrypt is to the internet what SSDs are to the PC. A level up.
[+] [-] Analemma_|3 months ago|reply
I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work.
[+] [-] raxxorraxor|3 months ago|reply
I think the portion of users that check a certificate after the browser treated it as secure is well smaller than 1%, probably well below 0.1%. And I guess these TLS connoisseurs have a positive inclination to letsencrypt as well.
[+] [-] quesera|3 months ago|reply
Those days are long gone, and I'm not completely sure how I feel about it. I hated the EV renewal/rotation process, so definitely a win on the day-to-day scale, but I still feel like something was lost in the transition.
[+] [-] dustedcodes|3 months ago|reply
Spoken like a true dinosaur. How can a certificate based on open, public and proven secure protocols be cheap?
> So my question: has anyone actually commented to you in a negative way about using Let's Encrypt?
No, but I personally judge businesses which claim to be tech savvy if they don’t have an ACME issued certificate, because to me that instantly shows I’m not dealing with someone who has kept up with technology for the last 10 years.
[+] [-] merpkz|3 months ago|reply
Also a valid point from security people is that you leak your internal hostnames to certificate transparency lists once you get a cert for your "internal-service.example.com" and every bot in existence will know about it and try to poke it.
I solved these problems by just not working with people like that anymore and also getting a wildcard Let's Encrypt it certificate for every little service hosted - *.example.com and not thinking about something being on the list anymore.
[+] [-] johnebgd|3 months ago|reply
[+] [-] jwr|3 months ago|reply
In Safari, I don't even know how to find that information anymore. When I want to check expiration dates for my own sites, I start Firefox.
[+] [-] rokkamokka|3 months ago|reply
[+] [-] konfekt|2 months ago|reply
Setting up an encrypted web-domain with continual Let's Encrypt certificate renewal has become tedious cargo-culting around the relicts of the idea of a certificate that establishes trust by identity verification.
The collapse of identity-based certification is not Let’s Encrypt’s fault. People naturally choose the easiest option, and Let’s Encrypt supplied it.
Entrusting a handful of commercial certificate authorities with global identity is dubious on first principles anyway, but at least they tried; yet, for all its flaws, that centralized system has proven more practical than the idealistic, decentralized "web of trust".
[+] [-] winternett|3 months ago|reply
They do things like blocking containers & SSH to make installing free certs impossible.
They also have elevated the price of their own certs (that they can conveniently provide) to ridiculous prices in contrast to free certs their customers can't even use...
It would be a huge price-fixing scandal if Congress had any idea of how technology works.
[+] [-] xxmarkuski|3 months ago|reply
[+] [-] 1123581321|2 months ago|reply
Just checked. They’re still using that manually installed cert!
[+] [-] hk1337|3 months ago|reply
[+] [-] Keyframe|3 months ago|reply
One thing I heard recently which might be a valid point - that LE is based in US, which makes it a subject to US laws. Read from that what you will though.
[+] [-] UltraSane|3 months ago|reply
[+] [-] spjt|3 months ago|reply
I still find it too much of pain in the ass to deal with to justify for my personal stuff. Easier to just click through the warning every time.
[+] [-] rkagerer|3 months ago|reply
[+] [-] accrual|3 months ago|reply
[+] [-] giancarlostoro|3 months ago|reply
I just people who use GoDaddy. They were the one company supporting SOPA when the entire rest of the internet was opposed to SOPA. It's very obvious GoDaddy is run by "business-bros" and not hackers or tech bros.
[+] [-] traceroute66|3 months ago|reply
A friend of mine has had a negative experience insofar as they are working for a small company, using maybe only 15–20 certs and one day they started getting hounded by Let's Encrypt multiple times on the email address they used for ACME registration.
Let's Encrcypt were chasing donations and were promptly told where to stick it with their unsolicited communications. Let's Encrypt also did zero research about who they were targetting, i.e. trying to get a small company to shell out $50k as a "donation".
My friend was of the opinion is that if you're going to charge, then charge, but don't offer it for free and then go looking for payment via the backdoor.
In a business environment getting a donation approved is almost always an entirely different process, involving completely different people in the company, than getting a product or service purchase approved. Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop.
[+] [-] pedrozieg|3 months ago|reply
The impressive bit isn’t just the crypto, it’s that they attacked the operational problem: automation (ACME), good client ecosystem, and a nonprofit CA that’s fine with being invisible infrastructure. A boring, free cert became the default.
The next 10 years feel harder: shrinking lifetimes (45-day certs are coming) means “click to install cert” can’t exist anymore, and there’s still a huge long tail of internal dashboards, random appliances, and IoT gear that don’t have good automation hooks. We’ve solved “public websites on Linux boxes,” but not “everything else on the network.”
[+] [-] asim|3 months ago|reply
[+] [-] Ayesh|3 months ago|reply
Just comically bad way to obtain certs.
[+] [-] merpkz|3 months ago|reply
[+] [-] noAnswer|3 months ago|reply
[+] [-] ok123456|3 months ago|reply
Prior to that, the consensus was that you only really needed TLS if you were dealing with money and wasn't worth the hassle otherwise. You could sniff traffic from Facebook and Twitter easily.
I remember listening to a talk given by an IRS investigator in around 2008 about how they were able to do a sting and shutdown illegal internet casinos. They collected a good bulk of that evidence from clear-text packet captures of gambling sessions and messages. He preemptively answered the question of whether encryption was a hurdle, by saying no one used it.
[+] [-] t1234s|3 months ago|reply
[+] [-] mikeyouse|3 months ago|reply
[+] [-] crapple8430|3 months ago|reply
[+] [-] Ayesh|3 months ago|reply
But I personally believe that the people behind LetsEncrypt genuinely care about the mission and will never sell out for their personal benefit.
If there was a list of organizations that bring the most impactful things to tech per each dollar received in donations and per each employee, ISRG will be up there at the top.
[+] [-] unknown|3 months ago|reply
[deleted]
[+] [-] greyface-|3 months ago|reply
New de-facto requirement that you need to receive the blessing of a CA to make use of basic web platform features... not so good.
[+] [-] joshstrange|3 months ago|reply
LE has been an amazing resource and every time I setup a new website and get a LE cert I smile. Especially after having lived/experienced the pain that was SSL/TLS before LE.
[+] [-] ekr____|3 months ago|reply
[+] [-] vadepaysa|3 months ago|reply
Thank You for an amazing product!
[+] [-] stego-tech|3 months ago|reply
Congrats on a decade, ya’ll, here’s to many, many more in securing the free internet.
[+] [-] martinclayton|3 months ago|reply
It takes you to https://www.nsa.gov rather than Let's Encrypt.
Not sure what to make of that!
[+] [-] npodbielski|3 months ago|reply
[+] [-] Decoy1008|3 months ago|reply
[+] [-] victorbjorklund|3 months ago|reply
[+] [-] scblock|3 months ago|reply
I find it pretty amazing how far its come, and how big a change it has made to the internet in the decade it's been operating.
[+] [-] chuckreynolds|3 months ago|reply
[+] [-] omani|3 months ago|reply
[+] [-] 1vuio0pswjnm7|2 months ago|reply
https://community.letsencrypt.org/t/2020-02-29-caa-recheckin...
https://bugzilla.mozilla.org/show_bug.cgi?id=1619047
https://www.theregister.com/2020/03/03/lets_encrypt_cert_rev...
[+] [-] RandyOrion|3 months ago|reply
You simply cannot emphasize the information security enough if all your Internet traffic is audited, censored and manipulated by a number of adversaries supported by (authoritarian) governments and what not.
[+] [-] unknown|3 months ago|reply
[deleted]
[+] [-] bruvva|3 months ago|reply