and yeah… companies can pay for certs but most others cant. I run a server that has multiple websites on it and im usually adding a new site about every other month. I couldn’t afford to pay for a new cert every time i make a new website. I would also have to account for things like last minute domain changes, which would be costly. Some wildcard certs can be upwards of 400$! Making everyone pay for certificates would make many hobbyists such as myself not even bother with SSL due to it being too expensive, which would lead to lots of insecure sites. So SSL is gonna have to stay free.
So do a MASSIVE number of legitimate sites.
I take offense at my sites being lumped in with phishing sites just because I don’t have $200 to spend on a wildcard certificate
Nope, you need a muti-domain SAN EV certificate and pay the highest price you can find on the market to prove your clients / visitors you are legitimate.
P.S. In case it doesn’t sound like that, I’m joking.
Yes, so you should consider that your website will be threated as criminal because of scammers, because you are using LE. Sorry to say that but in time my point of view will prevail over web enviroment
I guess someone forgot to let Cisco, Google, Facebook, various governments around the world and others know they are either criminals, or are aiding and abetting criminals (generous donors supporting let’s encrypt).
Also, Someday the padlock is going to disappear (And that day can’t come soon enough, a secure by default future is a good future). At that point the old notion of teaching users a padlock means it’s safe will be moot
You should also stop going to your local grocery shop and/or supermarket. I bet they also sell food to criminals.
Please read this:
Then why would you want to block LE? By your own account, you’ve never encountered a scam website using a LE (or any other) cert–you only visit 4-5 websites and shops. But then you say this:
…and your story just doesn’t add up. There’s no way you’d be spending any time at all, much less an “immense amount of time”, to “dig trough all the garbage fakes”, with the browsing habits you describe above. One of these statements is not true.
Hmmm … if you do, you will also block THIS forum site.
Odd assumption. Normal users don’t bother to check what CA a site is using (if they even know what a CA is), so treating a site as unsafe due to its CA is a decision that ultimately would have to be made by browser developers. Google and Mozilla are both Platinum sponsors of Let’s Encrypt (which is the highest level of sponsorship).
Your belief that “HTTPS should mean a site is trustworthy” is not shared by most security experts. It’s actually considered a dangerous misunderstanding of what HTTPS is - it indicates your communication to the server can’t be intercepted, and nothing more. This is why browsers are moving away from the green padlock UI, instead treating HTTPS sites as neutral, and plaintext HTTP sites as “not secure”.
If you’ve been assuming sites are legit because the url starts with https://, you’ve been making a security mistake. If you block LE sites and carry on with that assumption, you’re continuing to make the same mistake, with an added false belief that you’ve solved the problem. (There are plenty of other CAs, including free ones.)
I can imagine the train of thought of a non-disclosed community member in the near future: “Hmm, looks like a scamming site. But it has a green lock! And I blocked Let’s Encrypt. So it must be a safe site to enter my credit card number!”
All other free ones use the free tier as a way to push their paid offerings, though. Or did I miss some CAs?
Buypass Go is one. They use ACME and are compatible with Certbot with the --server flag.
However they don’t provide wildcard certificates for free.
Yeah, I knew about them (and only them). They also have a
60 180 days expiration, which somebody might prefer.
6 months, not 60 days.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.