Beyond the big players like Digicert, I'm surprised smaller companies have survived LetsEncrypt for this long. They mentioned it in this post ad well, most are moving towards free providers. I wonder if we'll see more shutting down in the next few years. One thing I think they could compete on is validity period as LetsEncrypt keeps lowering theirs
o_m · 2h ago
Shouldn't we be worried about the internet being centralized to depend on LetsEncrypt? Imagine the shit show if the US government stopped LetsEncrypt from issuing certificates to every country outside of the US.
darkwater · 12m ago
I think we should, as we should every time there is one single big player.
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer.
Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox?
I'm genuinely asking.
rvnx · 1h ago
They will not stop Letsencrypt abroad, it is clearly an asset for the US gov, the same way that Cloudflare is a worldwide MITM, it would be absurd to shut it down.
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
hdgvhicv · 35m ago
> They will not stop Letsencrypt abroad, it is clearly an asset for the US gov, the same way that Cloudflare is a worldwide MITM, it would be absurd to shut it down.
That’s does not mean they wouldn’t shut it down.
ayende · 26m ago
Sure you can, you know what your public key _should_ look like
crtasm · 11m ago
Excatly. There must be tools to automate checking newly issued certificates against your own copy, could anyone recommend a self-hosted one?
actionfromafar · 51m ago
Good thing they never do any absurd things nowadays.
matharmin · 2h ago
Luckily there are still other options out there. ZeroSSL is one I quite like: Free ACME-based certificates just like LetsEncrypt, without the rate limits, and does have paid plans if you need support. It also has better legacy client compatibility than LetsEncrypt as far as I know.
mattashii · 1h ago
I hope that ZeroSSL has improved their policies and procedures in the past years so they're more safe and robust. Four and a half years ago, there were some significant oversights in certificate lifecycle management, TOS, and handling of key material, which needed external parties to notify them of those issues before they fixed them. To me that was an indication of limited awareness of WebPKI and security principles.
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
makkes · 1h ago
From what I can see on the CA/Browser Forum's website (https://cabforum.org/about/membership/members/), there is enough diversity in the forum to represent the Web community as a whole. Trade embargoes issued by a single country would likely not be represented by enough CA/B members to be pushed through the Forum.
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
michaelt · 1h ago
> From what I can see on the CA/Browser Forum's website [...], there is enough diversity in the forum to represent the Web community as a whole.
While I agree there are an astonishing number of CAs listed, it seems to me there's no representation of website operators, or website users.
Bad_CRC · 1h ago
I was just trying buypass for exactly that reason when I found out that they are ending it :(
nubinetwork · 1h ago
Everyone said that about cloudflare, and nothing has changed on that front.
fpoling · 1h ago
The validity of any certificate by 2029 will be reduced to 47 days.
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
kedihacker · 35m ago
Support would be a big part of the enterprise and smaller ones pie but at 47 days everything would be integrating acme protocol so rough times ahead
To me, this seemed like turkeys voting for Christmas.
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
crote · 1h ago
Short-term, it'll get rid of a bunch of competitors who are slower at setting up automated renewal infrastructure.
Mid-term, it'll reduce the risk of noncompliance, as large customers can no longer demand that you delay revocation. CAs no longer have to fear customers switching to their competition.
Long-term, it'll reduce their operating cost, as it is no longer necessary to handhold customers through the certification issuance and installation process. You just give them a URL, id, and key to enter a single time, and it should Just Work.
The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV. Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
michaelt · 1h ago
> Long-term, it'll reduce their operating cost,
It doesn't matter how far you reduce your operating cost, if your revenue falls to zero.
> The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV.
Hah, that's a good one.
Sure, google.com and microsoft.com and amazon.com and godaddy.com and letsencrypt.org and facebook.com and twitter.com and cloudflare.com and coinbase.com and and visa.com and entrust.com don't need EV certificates... but you do.
nailer · 1h ago
> Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
Google removed all the verification markers from chrome in September 2019 - because they investigated them and nobody understands a green box means verification.
Yes, the obvious answer is: make the verification UI look like every other verification UI, but they didn’t did test that. The chrome team, specially ryan sleevi, thinks regular people should understand DNS. You know - apple.com.store/ipad isn’t Apple, and that withgoogle.com is actually Google.
zenmac · 45m ago
And DTLS support. Last I checked, LetsEncrypt has issues with DTLS for webrtc. Don't know if it is still the case.
hdgvhicv · 33m ago
I’ve been saying that for years, but HN loves single points of failure because half the people here fantasise about building the next SPOF they can extract rents from
attentive · 1h ago
they now also compete with aws $15/year certs
jwr · 2h ago
Happy to see this, to be honest. Selling SSL certificates was always a borderline scammy business — the companies provided barely any added value, their websites were terrible, buying certificates was always a pain, and one always had to fight through various upsells (usually with no value at all).
skrause · 1h ago
Buypass was one of the free alternatives to Let's Encrypt that also supported the ACME protocol and even gave you 180 days validity.
ninjin · 17m ago
Indeed, I had just started using them at that. No account needed, you just needed to set your contact to "mailto:$EMAIL" and get on with your day. Was nice to use them for a few domains so as to make sure I had a more diverse set of tried and tested issuers, with bonus points to Buypass for being outside the US as well (Norway).
bruce511 · 2h ago
I've been around long enough to remember when getting a website was really expensive. Like hundreds of thousands of $.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
V__ · 2h ago
But aren't there some differences? LE doesn't verify identitiy. Though I'm not saying that the big CEs are that thorough.
Kwpolska · 1h ago
Browsers stopped prominently showing the identities in EV certificates long ago. There is zero value in paying for a TLS certificate.
Telemakhos · 1h ago
I remember many moons ago, like the Netscape era, when companies that paid for EV certs got special icons and a green address and all sorts of browser indications of trustworthiness.
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
ctm92 · 41m ago
In Chrome you can click on the icon next to the address and then on security, it will show the name of the company the cert is issued to. Quite hidden though.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
kedihacker · 32m ago
Well it can be bypassed by setting up a new company with the same name. Someone had done that against stripe I remember.
nailer · 46m ago
That’s true. It’s a bit of a self fulfilling prophesy: the browsers didn’t present a meaningful verification UI, then removed the UI because users didn’t find it meaningful.
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
bruce511 · 1h ago
Whether the CA verifies identity or not is irrelevant. Since the end user does not see the certificate they are all functionally equivalent.
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
dark-star · 2h ago
I have been helping individuals and small businesses set up websites since the 90s. At no point in time getting a website cost "hundreds of thousands of $"
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
abujazar · 2h ago
Kind of concerning they're not keeping TLS cert issuance even if only for the brand. Let's Encrypt is great, but it would be unfortunate if it ended up as a de facto monopoly.
For those looking to migrate, Let's Encrypt and Google Trust Services are my current favorite picks. ZeroSSL is ok but their ACME API status has been patchy recently and I'm a little worried about them.
bapak · 2h ago
> "From a sysadmin and operations perspective: What a stupid change. In the perfect cloud native, fully automated fantasy land, this might work and not even generate that much overhead work. In the real world, this will generate lots of manual work. At least, until folks replace their legacy hardware and manufacturers patch their shit."
Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer. Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox? I'm genuinely asking.
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
That’s does not mean they wouldn’t shut it down.
See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698936, https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
While I agree there are an astonishing number of CAs listed, it seems to me there's no representation of website operators, or website users.
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
Mid-term, it'll reduce the risk of noncompliance, as large customers can no longer demand that you delay revocation. CAs no longer have to fear customers switching to their competition.
Long-term, it'll reduce their operating cost, as it is no longer necessary to handhold customers through the certification issuance and installation process. You just give them a URL, id, and key to enter a single time, and it should Just Work.
The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV. Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
It doesn't matter how far you reduce your operating cost, if your revenue falls to zero.
> The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV.
Hah, that's a good one.
Sure, google.com and microsoft.com and amazon.com and godaddy.com and letsencrypt.org and facebook.com and twitter.com and cloudflare.com and coinbase.com and and visa.com and entrust.com don't need EV certificates... but you do.
Google removed all the verification markers from chrome in September 2019 - because they investigated them and nobody understands a green box means verification.
Yes, the obvious answer is: make the verification UI look like every other verification UI, but they didn’t did test that. The chrome team, specially ryan sleevi, thinks regular people should understand DNS. You know - apple.com.store/ipad isn’t Apple, and that withgoogle.com is actually Google.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.