Rant I've been paying for SSL Certs since 2006

[SimplyComplex]

Apparently you can get SSL certificates for free via LetsEncrypt (a free open source SSL project).I've been paying $10-15/yr for each domain. I know you can self-sign but browsers haven't liked that for a long time(because it can be spoofed). Between all of my domains, that's just about $1,000 over the years. My current hosting company even directly supports LetsEncrypt with a little icon and setup page. It literally took 30 seconds in my CPanel to switch from AlphaSSL to LetsEncrypt. And unlike before, my subdomains are covered(at least I didn't blow an extra 5 grand on wildcards). If my SSL provider hadn't jumped their rates by almost 50% over last renewal(in 2016), I never even would have found out about the alternative. BuySSL is another free provider, though it isn't integrated into my webhost and I'd have to update it manually.

I know there's an argument against LetsEncrypt (lack of OV/EV for one), but at a minimum it would be great for subdomains. If I wanted to keep a different provider for the main site I can just issue the Let'sEncrypt for each of the subdomains, and keep my existing one for the top level. I never wanted to pay for wildcard, so my webmail and cpanel have never had SSL until today.

 

[Red Squirrel]

Yeah I discovered them a few years back. Was considering HTTPSing some of my sites but hated the idea of paying so when I found out about them I decided to set it up.

For stuff like webmail and other admin stuff I always just did self signed before though as it's just me that needs to access it anyway.

 

[GobBluth]

Really? Does it work for enterprise solutions?

 

[Red Squirrel]

I don't think they restrict what type of use but you'd probably want to double check.

Of course a big company would not want to go with them because it's free, companies always like to go with the "bigger" more expensive brands like Verisign, Twate etc . Not sure whether or not those provide better encryption or not. I think they only thing they might offer that's better is the support, and extended validation, and other stuff like that, but if you're just trying to secure people's logins into a forum or even a shopping cart it's not really needed, at very least, not worth the extra cost.

 

[SimplyComplex]

I think they only thing they might offer that's better is the support, and extended validation, and other stuff like that

This is correct. And for enterprise, I wouldn't go with LetsEncrypt for that reason. For "literally who?" website operators such as myself, it's nice. If my site disappeared from the internet for a day or two... meh? But if you have some weird problem(and those happen) the last thing you want is certificate warnings or even DNS problems spitting out on your car dealership website. One lost sale is going to be a bigger deal than 10 years of wildcard SSLs from Verisign. The one great thing about SSL certs from the major providers is extremely quick support.

If you're selling t-shirts you make in your own house... I'd probably still pay, but it's probably fine to use LE. But anything rising to true enterprise would be worth the cost for support. Unless your "enterprise" is some kind of SEO farm with oodles of websites.

 

[Spacehead]

I'm surprised you'd never heard of LetsEncrypt before, being that you administer websites.

LetsEncrypt is great for an average person with a simple website that wants https. With a push toward trying to get all/most sites using https it's very cool idea to make it so easy. But it's also easy for bad guys too.

I definately don't want to go to a website i'm entering CC/personal info/etc & see their using LetsEncrypt & not an EV cert from someone reputable.

 

[Dulanic]

I love LE, I've been running it in a container for years and it's very set it and forget it since the container handles it all for me.

 

[Red Squirrel]

I'm surprised you'd never heard of LetsEncrypt before, being that you administer websites.

LetsEncrypt is great for an average person with a simple website that wants https. With a push toward trying to get all/most sites using https it's very cool idea to make it so easy. But it's also easy for bad guys too.

I definately don't want to go to a website i'm entering CC/personal info/etc & see their using LetsEncrypt & not an EV cert from someone reputable.

People forget that HTTPS is for encryption, not to validate that a site is legit. Anyone can start an online site, and just because they encrypt it does not mean it's safe, because they can still ask for your info and then use it maliciously. Your info will be encrypted all the way to the server but you still have to trust the end site. Nothing stops a scammer from getting an expensive EV cert from Verisign for a scam site. I guess once Verisign finds out they are using their cert for a scam site they would revoke it though, so you are probably not that likely to see a scam site using such a cert.

From a site admin point of view I would also be concerned that LE's infrastructure might not be as skookum as Verisigns, and there is probably a greater chance of their servers going down so I guess it's a question of how much money you want to spend for "insurance" or if you just want to chance something that is fairly rare.

Not even sure how LE makes money TBH but hopefully they stick around.

I guess if you are VERY serious you can always start your own CA that way you can host all that stuff in house. Any service can go down for any reason or the other so the less reliance on outside services the better it is typically, but it's not always feasible.

 

[SimplyComplex]

being that you administer websites.

I own a few domains. Not a one is ranked in Alexa's top 50,000. They're mostly zombies from 2006-2010. I can't say I've done much of anything since then aside from a minor edit when Google changed their whole SEO in 2014.

Not even sure how LE makes money TBH

It's literally subsidized by the tech giants like Microsoft and Google. They wanted universal https, and decided that would never happen if websites had to pay for SSL certs. Which is why I'm not worried about it when someone says "But what if it fails"?
LE is less likely to go down in the next 2 years than Verisign or Comodo. While I assume both companies are fine, I have no idea what's going on in the background with them. The odds of Apple, Verizon, and Facebook failing in the next few years is basically zero.

 

[Red Squirrel]

That's good to know the tech giants are backing it. But yeah I heard the percentage of sites on it is actually quite high so I don't see them going anywhere any time soon. I think they also take donations.

 

[Spacehead]

Nothing stops a scammer from getting an expensive EV cert from Verisign for a scam site. I guess once Verisign finds out they are using their cert for a scam site they would revoke it though, so you are probably not that likely to see a scam site using such a cert.

Isn't the point of an EV cert that the CA does a thorough "background check" on the person/entity asking for the cert? Now that i think about it, i guess it depends on the CA issuing the cert though.