Stay Classy, Cert Companies

Let’s Encrypt has been a welcome addition to the security landscape – if only because it’s nice to do business with someone who actually gives a damn.

The trouble with HTTPS has always been more of a “business model” thing than a technical thing – anyone can set up strong encryption on their server and send/receive encrypted traffic to their users, but the initial connection needs to also confirm to the user that the site is who it says it is, and therein lies the rub.

The solution for the past 2 decades or so has been to have big corporations (called certificate authorities) who are trusted by browsers (the software, not the people) issue the certificates and keys needed for encryption. When a browser connects, it can identify whether or not one of the certificate authorities vouches for your website. If it does, the browser knows to trust that it is, indeed, connecting to the correct site.

This is a crucial step, as otherwise another site, posing as, say might manage to trick a browser into connecting to it. The connection itself would be perfectly encrypted, but the encryption would be for nought – as the user would be sending all their private data to the wrong party.

The problem with this arrangement is twofold – it forces site operators to decide whether or not a site is worth spending money to encrypt and it puts the issuing of certificates and keys into for-profit organisations who have varying demands for determining site identification. The end result: many sites remain without encryption.

Let’s Encrypt was created to resolve this specific issue.

Its certificates are free and its validation method is simple and sufficient enough for basic security to be meaningful.

The official client also allows for automatic renewal of the certificates as needed – which is handy (nay, essential) as the certificates which are issued have a 90 day expiry – one quarter that of a typical, paid-for, certificate.

Why the short expiration dates? Issuing so many certificates with such minimal, automated validation (not so much as an email/postmaster check or credit card) increases the risk1, which Let’s Encrypt can then mitigate by issuing shorter certificates.

Of course, making this service so freely available, sweeps the legs out from the basic sales made by existing CAs.

To date, I’ve seen two responses:

The ever eccentric folks at StartCom have announced “StartEncrypt”2 – their own Let’s Encrypt-style client to help automate the, frankly crappy, process of renewing and updating certificates.

Apparently this is what it took for them to actually get around to trying to address that issue, but exceptional customer service hasn’t been a prevailing trait of StartCom.

To be fair, StartCom’s business model is somewhat refreshing amongst the other monkey-see-monkey-do CAs out there; they charge for validation (at varying levels, starting from free), and then you can issue as many certificates as you like for free during the validation period.

There are a couple of points that make me hesitant to recommend their services though – all of which is linked to their almost hostile customer service.

They have a somewhat opaque policy on exactly what qualifies a site for using their completely free validation. Their website itself is a hilarious parody of what a self-service web application should be. And the basic validation involves sending high quality, unadulterated scans of your official government identification for indefinite storage in a foreign country3.

Thanks, but no thanks.

Then there’s Comodo – the largest CA of the bunch.

Comodo’s response to Let’s Encrypt’s innovation was to attempt to register various forms of “Let’s Encrypt” as their own trademarks.

Their CEO went on to suggest that supporters of the not-for-profit were trying to bully them into, you know, being ethical, and that everyone should just relax and let the law handle this. Since, as we all know, IP law with regards to software has an excellent track record for being sensible and effective.

Comodo even went so far as to suggest that Let’s Encrypt was ripping off their business model, since issuing totally free 90-day certificates automatically in perpetuity is just like issuing a one time trial after making users jump through dopey hoops.

Stay classy, Comodo.

The other CA’s aren’t going anywhere any time soon though, since they provide other certificate products – most notably wildcards (for any number of single-level subdomains) and Extended Validation (EV) certificates.

The former is mostly a convenience (although sometimes very, very important), but the latter actually serves an additional, distinct purpose: proving that the people who run the site are who they say they are (as opposed to the site being what it says it is).

The EV process is intrusive (perhaps to some extent, necessarily) and inefficient. It discourages small operators from buying in to the process. The solution to that problem?

I don’t know.

But Let’s Encrypt is clearly making an impact right now, and that’s a good thing.

  1. Update circa 2019: It’s actually not significantly less, if any less reliable than what your average paid authority does.
  2. Update circa 2019: Start is now gone. I shed no tears.
  3. unless you happen to live in Israel

Leave a Reply

Your email address will not be published. Required fields are marked *