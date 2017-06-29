Let's Encrypt Hits New Milestone: Over 100,000,000 Certificates Issued (letsencrypt.org) 19
Josh Aas, the executive director of Internet Security Research Group (ISRG) writing for Let's Encrypt: Let's Encrypt, a free, automated, and open certificate authority has reached a milestone: we've now issued more than 100,000,000 certificates. This number reflects at least a few things: First, it illustrates the strong demand for our services. We'd like to thank all of the sysadmins, web developers, and everyone else managing servers for prioritizing protecting your visitors with HTTPS. Second, it illustrates our ability to scale. I'm incredibly proud of the work our engineering teams have done to make this volume of issuance possible. I'm also very grateful to our operational partners, including IdenTrust, Akamai, and Sumo Logic. Third, it illustrates the power of automated certificate management. If getting and managing certificates from Let's Encrypt always required manual steps there is simply no way we'd be able to serve as many sites as we do. The total number of certificates we've issued is an interesting number, but it doesn't reflect much about tangible progress towards our primary goal: a 100% HTTPS Web.
I'm not sure that one of these certs is any better than a self-signed cert...
It's trusted by the browser by default, so it has that going for it.
Also, unlike self-signed certs it demonstrates that the person requesting the cert has control over the hostname(s), which is pretty much all I ever had to do when I paid for a non-EV certificate.
How does it demonstrate that? Can you explain specifically what makes this better than self-signed certs? What is the basis of trust used to establish ownership? What prevents an attacker with access to a victims wires from using LE to obtain fraudulent certificates?
They're a little better in that the fact that they come from a cert authority gives you some assurance that you're not being MITM'd. But it has always been stupid that browsers treat an HTTPS connection with a self-signed cert differently to an HTTP connection.
They get treated differently because they're different. self-signed certs are generating ecrypted traffic, http isn't. I know you already know that, but your flippant reply seemed to brush it off as if that's not a difference.
Also, self-signed certs are sometimes more secure than the public CA's. If you're using them for internal purposes, and you know the origin of them, you can guarantee they're safe. If you use a public CA, you never know what gov't or three-letter agency they've allowed to spoof a f
It's considerably better than a self-signed cert. Browsers don't accept self-signed certs by default, throwing up big nasty warnings. Lets Encrypt is a fully-accepted CA.
It also costs as much as a self-signed cert. That is, nothing. Higher utility at the same price is higher value.
Actually these certificates are far better than a cert you'd buy commercially. The only way to get one is to control a server within the domain name. This is more verification than you get on anything but an EV cert.
Google started giving higher rankings to websites with HTTPS/SSL than websites without a certificate. Since Let's Encrypt is a free option at my hosting provider, I got certificates for all my domains and subdomains.
No! It expires every 90 days and you can renew after 60 days. RTFM.
I stand corrected. After double checking my configuration, I have a different set of certs (five or so) expiring and renewing each month.
