I think the bigger of the two learnings from https://letsencrypt.org/ is the subtler one: of course people love getting things for free, but their lasting contribution to the state of web security is "Automating cert renewal is The Right Way To Do It and manual renewal is a bug."
-
-
Hell I know companies (employer excluded) who have an internal CA for internal projects which obviously has free certs just an API call away and they still have outages because certs expire.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Sure, but the old way ensured a flow of sweet sweet money to the cert vendors, and they weren’t incentivized by their customers uptime.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It's great for MITM protection, transport encryption. But it doesn't solve the trust problem. Makes it slightly worse. Are big brains looking at that problem?
-
There are EV certificates. A large part of the problem is the UI. Browsers could reverse the domain from the certificate and display that next to the padlock instead of just "Secure", e.g. "com.paypal". Not perfect, but makes the common exploits harder.
End of conversation
New conversation -
-
-
good work went into this as ACME protocol standardization. https://en.m.wikipedia.org/wiki/Automated_Certificate_Management_Environment …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I love LetsEncrypt, but I understand that some renewals (as you incur in expenses) need validation from various parties on big org. There are tools to monitor certificate expiration and emit alerts to the people involved. Lack of auto-renewal is no excuse for such outages.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.