52 comments

[ 5.8 ms ] story [ 116 ms ] thread
And the bigger news is that letsencrypt starts its public beta today! You don't need to buy SSL certs anymore! Wow! Someone submit this story!
(comment deleted)
Yeah, but the commercials also need to be played.
Yay! I've had the sliding deadline in my calendar for months! :)
Cool project. I hope nginx support for the client isn't far away.
This involves a bit more manual (but scriptable) steps, but the example it shows is for nginx, in addition to being very small and having barely any dependencies. https://github.com/diafygi/acme-tiny
I wonder why, really. I read Facebook's statement. But everyone always has internal motives (in particular when money is involved), and I wonder what Facebook gains from this?

I know why EFF/Mozilla does it (charity), Akamai do it ($$$ for them), Cisco might also profit from it somehow (e.g. upgraded enterprise appliances to support HTTPS on the proxy), but Facebook? I don't get Facebook's play here.

Deliver funding on the day of the public opening. Get some of the PR; some may perceive you (a fictional, corporate entity) as the primary driver of the project.
The only people who care about free SSL certs would know enough about Let's Encrypt to know facebook didn't do much. LE isn't something most people find interesting.
Eh, I think you are underestimating how many people are interested in this. One of my friends who does small business web design and hosting has had several customers ask him about Let's Encrypt.

SSL is a pretty big market, and the impending release of Lets Encrypt to the general market has some of the SSL vendors somewhat rattled, based on their FUDdy blog posts lately...

Maybe when you're worth $40bn or whatever and you plan to give 99% of it away for philanthropic purposes, you don't need to live life with such a miserly attitude?
Facebook, the company, is planning on giving away their entire net worth? Where are you getting this from? Also isn't Facebook worth somewhere in the region of $245 billion?
Not FB, only Mark Zuckerberg AFAIK.
when FB runs an elaborate campaign to make plebs believe their dear leader is investing his fortune into a charity, when in reality he's invested it into a Delaware based LLC that allows him to avoid Estate taxes....then you start questioning the intent of FB.

It's not "philanthropic purpose" it's an investment vehicle that can be used to do virtually everyone, without scrutiny.

Why can't their motivation be charity like Mozilla? Or maybe they just want to see a more secure internet?

They aren't totally evil. They want to use their power for good once in a while.

Mozilla are a registered charity, Facebook are a for profit company.
I'm not a huge fan of facebook either, but how is this a response to @jedberg's point, at all? Being a "For profit company" doesn't preclude them from "using their power for good once in a while."
It's not binary. Companies can do good things without being charities.
Mozilla's corporate structure is a bit more complicated than that.. The Mozilla Foundation is the overarching 501.3(c) nonprofit, but much of the software development (Firefox et al) is owned by a for-profit wholly owned subsidiary of the Foundation called Mozilla Corporation.
TFA says that Facebook has a "Gold" level sponsorship. Gold sponsorships cost $150K/year (see https://letsencrypt.org/become-a-sponsor/), which isn't much for a company the size of FB. (It's not even the most expensive sponsorship level available -- Akamai and Cisco are both "Platinum" sponsors, for instance, which costs $300-350K/year.)

So the motivation is pretty straightforward: they spend what to them is a small amount of cash in order to get a little goodwill and maybe some positive press. (Which are the usual reasons corporations sponsor not-for-profit projects anyway.) Everybody wins.

And really goodwill is the excuse used by the advocates in the company for whatever the sponsorship they want the company to make. It makes sense.

Also even just the goodwill of employees of their own employees (who want their company to support this or various open source projects etc.) makes donation make sense for many companies.

By having a reputation for being cool like this, they can hire people more easily and more cheaply.
Before the skeptical comments rush in, can we for a moment take a step back and appreciate this. Facebook has a lot of leaders who has worked in the industry for long and I am sure they understand the value as much as we do. There’s a very strong possibility that FB did this without any motives.
Especially with the Stamos hire (not to say that there aren't plenty of previous FBers that shared his views, but he is particularly vocal on issues like this.)
This was my first thought too. It's not hard to imagine him pushing the idea of sponsoring a project like Let's Encrypt to other higher-ups in the company.

  Before the skeptical comments rush in
If the comment is in relation to the criticism to Mark's donations, I think this is a non sequitur... I believe people understand that in large orgs there are factions that operate with different motives. Also this is a good cause so perhaps it helps their image too. So people won't be too critical of it.
I often wonder whether the relationships between brand-less factions in (and across) organizations has more of an impact than the official PR-heavy moves made under the institutional brand.

Take, for example, the changes that have happened at Microsoft since Ballmer's departure. I have a hard time imagining the branching GitHub's Atom to make an open source "light IDE", deprecating IE, and Google's using TypeScript for Angular2 happening while Ballmer's faction was in power. Microsoft has the same name, but it's acting like a very different beast.

I'm not sure how one could observe these factions cut across institutions, but I'd be interested if anyone has any suggested readings.

  organizations has more of an impact than the official PR-heavy moves 
  made under the institutional brand
I believe heavy handed central planning at a large scale is destined to be inefficient. Sure there would be fragmentation but the system would be fluid. The chances of bad decisions taking the ship down will be reduced.
If you're referring to VS Code, it doesn't use Atom at all.
Oh, interesting. Not sure where I heard that... thank you for the correction!
No, I think it's related to Facebook being a PRISM company and having a deplorable privacy policy, and generally giving no shits about privacy or security. Also, Mark's internet.org wasn't going to support HTTPS.
Apparently this is a donation that has happened unlike Mark's donations. (sorry if I state the obvious but hopefully he doesn't divorce before those donations happen (knock on wood))
please help me understand why this comment is so unpopular?
(comment deleted)
I'm on board with all the "facebook is evil" stuff and i don't use their product for various reasons, but their engineering department is really a good citizen of the internet and open source. Sponsoring Let's Encrypt is really in character for facebook, it's just the sort of thing they do.
Sorry, I'm is not registered user of that SN, but periodic getting spam emails about invitation. Hope that without any motives.

Thinking beware with gifts ...

Being careful not to look a gift horse in the mouth, but... It is interesting that Facebook ($300 Billion market cap) decided to support at the $150k level instead of the $350k level (i.e. saving themselves from a rounding-error $200,000 additional commitment).

It cost them more than that to make the decision and the press release.

What does a companies donation amount have to do with anything?
Maybe there's an internal policy at which $199,999 is a cut-off, i.e. at a certain point, the sponsorship decision is moved to a higher-level of bureaucracy and approval. Which is completely the sensible thing to do: there's no reason why President Obama has to be the one who personally signs off on million-dollar toilets in Iraq (even if the buck stops with the President), and neither should every sponsorship decision be put on the desk of Mark Zuckerberg or Sheryl Sandberg...and an efficient way to do that is to set off a discrete cut-offs, so that you don't have a middle manager thinking they have the discretion to do the exact same moral reasoning as you suggest, "Oh why just give the Palo Alto Elementary Science Fair $10,000 when we could give it $100,000 and no one would even notice?"

Besides internal order, I imagine there's additional concerns and contractual obligations that relate to a public company's stakeholders, e.g. the shareholders who invest with a guarantee that a company has consistent policies in place to manage its spending, whether operational or charitable.

Taken in isolation, this is a laudable move. But shouldn't it be evaluated within the context of their own internet.org initiative?

For those unaware, internet.org does not support TLS/HTTPS for most connections. It is probably the single largest attempt in history to remove secure access from a population, just in the name of advertising instead of national security.

Is there any indication what the sponsorship money of Let's Encrypt goes toward?

Corporate sponsorship looks to be somewhere around $2m/year.

Is the money needed for scaling? Hiring engineers? Broadening product line?

I would imagine most of the money goes towards:

- Development of the official client[1] and boulder[2], the CA server software behind Let's Encrypt. Both are relatively big projects with lots of things to add/improve on.

- Hosting CA servers in two separate data centers. HSMs for key storage are usually rather expensive as well. CRLs and OCSP are quite bandwidth-intensive[3], that's probably where Akamai's sponsorship comes in. Ops teams have to be available 24/7 in case of outages.

- I'd guess the auditing costs are quite substantial as well. I'm not sure what's necessary to get added to the various root programs out there (Microsoft, Mozilla etc.), but I doubt it's free (unless that's part of some sponsorship).

(I'm not affiliated with Let's Encrypt, just my perspective)

[1]: https://github.com/letsencrypt/letsencrypt [2]: https://github.com/letsencrypt/boulder [3]: https://blog.cloudflare.com/the-hard-costs-of-heartbleed/

Head of Let's Encrypt here. Our #1 expense is salary/benefits (we are hiring, letsencrypt.org/jobs). Other major costs include hosting, auditing, hardware, and legal/administrative.
React, Casandra, Flux, and tons more, Internet.org and now this? I can now feel a little less bad that every time I click like, that at least my personal information is supporting some great projects.

https://code.facebook.com/projects/