Let's Encrypt has definitely been a net positive to the internet as a whole. I do wish more services/tools had cleaner integration. I've switched to mostly using Caddy for personal web and reverse proxy chores as it's just much easier to deal with imo.
Caddy ist just awesome. I regularly wonder why most online tutorials don't use it. Because it just works and is so much easier to work with than all the alternatives.
> I do wish more services/tools had cleaner integration
I just had a positive experience with adding a Let's Encrypt SSL cert at Fly.io[1] for hosting my new PWA on a custom domain[2]. It was literally a one-line command to run but no DNS challenge
And browsers would give a huge red alert for self-signed certs but say nothing about plaintext HTTP. Presumably that’s where the snark is coming from. Clearly the plaintext HTTP was less secure than self-signed certs but browsers perpetuated the “trusted” cert cartel.
Having a certificate from a CA like LE proves that you don't have a local MITM. The MITM would have to also somehow get between LE's servers and the website in order to get a trusted certificate. A self-signed certificate does not have that guarantee.
> And browsers would give a huge red alert for self-signed certs but say nothing about plaintext HTTP
This is largely because putting a huge red alert in front of plaintext HTTP pages would provoke a huge backlash from anti-HTTPS factions on the Internet.
HTTP pages should have a big red alert on them, and browsers are very slowly but surely moving in a direction of being HTTPS by default and HTTPS-only in the limited instances where it's possible. Arguably even in that world, a site claiming that the connection is secure and then offering a bad certificate is more worrying than a site that never claims the connection is secure in the first place. But ideally, eventually, we hope that the vast majority of the web is using certificates, and that visiting an HTTP-only page should be a rare event, possibly with some kind of warning in front of it.
Browsers have at the very least gotten rid of the SSL green padlock and have de-emphasized certificate origin in their presentation, and HTTP-only pages at least get labeled as insecure in modern browsers. That's a step in the right direction. But yeah, it's tough to treat HTTP-only pages the way they should be treated because a bunch of Internet users who dismiss MITM attacks will cry murder if browsers do so.
And of course absent a bunch of infrastructure and pinning capabilities and authentication mechanisms that don't exist for browsers, under current usage self-signed certificates don't really prove anything about the security of your connection.
Why does everything need to be secure? A random blog doesn't need to be secure. Or a random personal website. In fact, regular HTTP is preferable there because it's faster, so it consumes less power and it can run on lower-spec machines. (No need to decrypt anything.)
This comment is the reason why browsers don't currently display giant warnings in front of HTTP pages even though they do arguably imply even less security than self-signed certificates. It has nothing to do with a browser conspiracy or narrative about "trusted" certs; browsers have largely been moving in a positive direction on that front.
This is an especially weird complaint given that LetsEncrypt has been heavily supportive of getting rid of the idea that certificates authenticate or legitimize a website in favor of certificates as purely an encryption tool.
If your problem is that people treat certificates like they're some badge of authenticity, you're really complaining at the wrong company about that.
As someone who is really tried of going through the small pain to pull a new cert every 3 months and then apply it to multiple machines.. what's the norm place for just buying a 1 or 2 year certificate? and is it pretty cheap?
You should use a reverse proxy server so you only have the cert on one machine.
I actually made one for myself in go that's been pretty fun. You can try it if you want (https://github.com/fsmv/daemon) but you should be able to set it up with apache or nginx as well.
It really comes down to automation... I've mostly used Caddy as a host and reverse-proxy for personal stuff, as well as in a couple workplace projects, the support for named domains is well baked in, and there are extensions for plugging into various dns providers if you want broader wildcard options.
To put things in perspective, a typical certificate is a few kilobytes. Let’s say 10KB of network traffic to process one certificate.
This is just 3.5 Mbps, and we’re all “very impressed” that it’s being provided for free.
A Raspberry Pi could serve this.
Certificate Authorities have convinced everyone that their service is so onerously difficult to provide that they deserve billions of dollars… annually.
The reality is that they are pure rent-seekers, charging $50 for something that can be provided for free from a fanless hobby computer.
I just want everyone to have some perspective next time you go buy a wildcard certificate for a thousand dollars, which differs from a normal certificate by just four bytes.
Let’s Encrypt’s financials are public and they aren’t running it off a singular Raspberry PI, nor anything like it - because they can’t; nor would it responsible to, at least on, say, a HSM or key seperation level.
Not to say, though, that traditional CAs aren’t rent seeking bloated greedy pieces of shit - because they absolutely are. I’m happy Let’s Encrypt found the funding and will (and the all important cross-sign) to take off and curb stomp the incumbent CAs around a bit. I still cringe every time I see an OV certificate in the wild.
30 comments
[ 3.2 ms ] story [ 82.3 ms ] threadI just had a positive experience with adding a Let's Encrypt SSL cert at Fly.io[1] for hosting my new PWA on a custom domain[2]. It was literally a one-line command to run but no DNS challenge
[1] https://fly.io/docs/app-guides/custom-domains-with-fly/#addi...
[2] https://github.com/hbcondo/revenut-app
Before HTTPS was popular, I used to see ISPs inject tracking JavaScript or ads into arbitrary websites for their "customers".
So, in some sense yes, this preserves a legitimate version of your website for the requester.
This is largely because putting a huge red alert in front of plaintext HTTP pages would provoke a huge backlash from anti-HTTPS factions on the Internet.
HTTP pages should have a big red alert on them, and browsers are very slowly but surely moving in a direction of being HTTPS by default and HTTPS-only in the limited instances where it's possible. Arguably even in that world, a site claiming that the connection is secure and then offering a bad certificate is more worrying than a site that never claims the connection is secure in the first place. But ideally, eventually, we hope that the vast majority of the web is using certificates, and that visiting an HTTP-only page should be a rare event, possibly with some kind of warning in front of it.
Browsers have at the very least gotten rid of the SSL green padlock and have de-emphasized certificate origin in their presentation, and HTTP-only pages at least get labeled as insecure in modern browsers. That's a step in the right direction. But yeah, it's tough to treat HTTP-only pages the way they should be treated because a bunch of Internet users who dismiss MITM attacks will cry murder if browsers do so.
And of course absent a bunch of infrastructure and pinning capabilities and authentication mechanisms that don't exist for browsers, under current usage self-signed certificates don't really prove anything about the security of your connection.
This comment is the reason why browsers don't currently display giant warnings in front of HTTP pages even though they do arguably imply even less security than self-signed certificates. It has nothing to do with a browser conspiracy or narrative about "trusted" certs; browsers have largely been moving in a positive direction on that front.
Or are you just being snarky for the sake of being snarky?
Bad actors can get TLS certificates issued for their phishing sites just the same as you can for a regular website. Encryption is for everybody.
If your problem is that people treat certificates like they're some badge of authenticity, you're really complaining at the wrong company about that.
I actually made one for myself in go that's been pretty fun. You can try it if you want (https://github.com/fsmv/daemon) but you should be able to set it up with apache or nginx as well.
Use it as a reverse proxy to your services
This is just 3.5 Mbps, and we’re all “very impressed” that it’s being provided for free.
A Raspberry Pi could serve this.
Certificate Authorities have convinced everyone that their service is so onerously difficult to provide that they deserve billions of dollars… annually.
The reality is that they are pure rent-seekers, charging $50 for something that can be provided for free from a fanless hobby computer.
I just want everyone to have some perspective next time you go buy a wildcard certificate for a thousand dollars, which differs from a normal certificate by just four bytes.
Count the dollars per byte.
DigiCert for example is owned by private venture capitalists.
They expect as much rent-seeking as possible to get a return on their investment.
FreeFreeFreeCerts (https://bugzilla.mozilla.org/show_bug.cgi?id=233458) or Honest Achmed’s certificate authority (https://bugzilla.mozilla.org/show_bug.cgi?id=647959) won’t make it in today’s world, nor yesterday’s.
Let’s Encrypt’s financials are public and they aren’t running it off a singular Raspberry PI, nor anything like it - because they can’t; nor would it responsible to, at least on, say, a HSM or key seperation level.
Not to say, though, that traditional CAs aren’t rent seeking bloated greedy pieces of shit - because they absolutely are. I’m happy Let’s Encrypt found the funding and will (and the all important cross-sign) to take off and curb stomp the incumbent CAs around a bit. I still cringe every time I see an OV certificate in the wild.