Has ISRG considered naming their certificate something other than LetsEncrypt


#1

I thought there was a near complete overlap of

  • People who know how to inspect SSL Certs, and
  • People who know what LetsEncrypt is

I was wrong. Some friends have had pushback and concerns because of the name, with execs/marketing saying “Let’sEncrypt doesn’t sound legit. Just buy a DigiCert.”

Have you considered the effect of name on adoption/trust on the certificate name? I hate to agree, but it would seem more substantial if the certificates were signed by “Internet Security Research Group X3” instead of “LetsEncrypt X3”.


#2

Counterpoint, to nontechnical people (such as those individuals referenced here), Symantec certificates would also carry weight as it’s a well-known name. However, Symantec certificates are about to be distrusted. Pardon the frankness, but how “substantial” the issuing authority’s name sounds is a terrible metric to measure anything. To virtually all users, the fact that it’s trusted by their browser is the determining factor.

If you want, show your marketing team the list of Let’s Encrypt sponsors. There are some pretty substantial names backing them.


#3

If you think about it, how many CAs actually have “legit-sounding” names? Most of the older ones are dot-com-era cyber alphabet soup, and most of the younger ones are “what .com domains are still available” cyber alphabet soup.


#4

I can’t imagine what those execs/marketing guys will say if you propose to get a certificate issued by GoDaddy :wink:

The name is as good or as bad as the reputation it gets… and in my opinion Let’s Encrypt is getting a really good reputation. We should ask those guys in a couple of years what they think about Let’s Encrypt.


#5

I totally agree, the reputation that Let’s Encrypt has created itself is proof that users are capable of learning to trust names like, well, Let’s Encrypt’s.

The way I see it, the people who obsessively inspect SSL certificates should know by now that a trusted name is a trusted name — regardless of all the other details. Think of it this way — Google has their own Intermediate Certificate, which is used to secure all of their websites, and even the most obsessive visitor will see that it is cross-signed by a trusted root authority, which means that a trusted company had to go through the trouble of vetting and doing the paperwork.

If someone ever says this to you, just pull up any website that makes use of a Let’s Encrypt certificate and show them the lock in the address bar — this should be all they need as proof, and if it’s not you can educate them.


#6

I wouldn’t necessarily assume that someone bothers (or even knows how) to inspect certificates just because they’ve heard of DigiCert. They may simply recognize the name from those site seals that are unfortunately still a thing.


#7

The people I know who ran into this issue all knew this was backed by EFF/Mozilla and showed their colleagues the sponsors. It didn’t matter. The reply was a swift “So? It looks amateurish. If an end-consumer sees this, will they trust it?”

A few years ago an e-commerce company I helped manage was pitched an offer from one of the then-major CA’s. If we purchased their “premium” package for an (astronomically high) fee, we could put a “Secured by ____” site-seal logo on our checkout next to the payment button. To sell it in, they give us a 3 month free trial and guaranteed an increase in checkout conversions that would more than offset the price. We had something like 30-50% upticks on parts of our conversion funnel from this, so purchased a full year of their “service”.

I like and trust LetsEncrypt. Everyone here obviously does, as this is a self-selecting group. My question isn’t a status poll of where people from this (small and non-diverse) community stand on this issue – my question is if ISRG’s leadership considered how branding on the actual certificate can affect trust perceptions of end users.


#8

I don’t necessarily disagree with your arguments, but this topic really saddens me. Choosing CAs because of their names rather than… anything relevant to security or usability? :disappointed_relieved:

More objective cents from me:

Let’s Encrypt does not provide site seals since, whether or not they are profitable, they do not convey trust.

Respinning the intermediates with a different name would be a pretty massive hassle.

On the other hand, Let’s Encrypt is scheduled to create ECDSA roots and intermediates eventually, so they could be named something else, and it would be somewhat less of a hassle to generate new RSA intermediates then.

There was actually a recent case of some old server software that did not support certificates with ’ in the name.

Totally rebranding Let’s Encrypt at this late date sounds like a massive hassle, and extremely counterproductive, since the existing name is already well known.

Rebranding the certificates would probably cause more trouble than it’s worth. We would get a lot of confused users who want to know what in the world an ISRG is and why they don’t have a Let’s Encrypt certificate.

Many of these things could be studied and quantified – at significant cost – but I’m just saying things.

Let’s Encrypt is a non-profit with the goal of increasing Internet security, not a corporation pursuing 100% market share. It’s not actually bad if people use other CAs.


#9

Absolutely. For clarity, I’m specifically talking about the “Issued by” in the certificate name - not the naming of anything else. This might, or might not, be worth doing on the eventual roots. I just wanted to make sure the ISRG staff consider this aspect if they haven’t already.


#10

Maybe you have a point… :thinking:


#11

that people can’t use google?


#12

End users not only don’t care about the issuer name, they never see the issuer name. If they do, they certainly don’t pay the slightest bit of attention to it.


#13

Hello, I help out doing comms for Let’s Encrypt and ISRG. Thanks for your insight into conversations around adoption.

As you can imagine, the Let’s Encrypt name was chosen with great consideration. As a nonprofit CA, our goal is to make the Web more secure and privacy-respecting by removing financial and technical barriers, so the Let’s Encrypt name is meant to be approachable and accessible. It sounds different because we are different.


#14

I agree. Most user didn’t even see the “Trusted by …” part on certificate inspection dialog. The only difference with paid certificate that actually give additional benefit are EV (shows green bar with applicant name) and “Secured by …” logo. And that’s actually the fine line between let’s encrypt and paid services.

I think it goes like this, “Want to secure your sites? Let’s Encrypt should be enough. Want those added values (EV, logo)? Get a paid one”.


#15

I think that this discussion covers a lot of different things. First of all there are many in organisations that make statements on regarding things that they have no idea what they are talking about. By saying that Lets Encrypt does not sound legit falls into that category. (It’s like some don’t believe you can get anything for some financilal cost.)

The name Lets Encrypt originally defined the ethos of the target so was good. There may be a worthwhile discussion in the future for a name change but that is not now in my opinion. It’s not worth changing unless there is a lot of confusion or there are other enhancements that a change of name can reflect. Acceptability being one of them but with a stated over 50% share of the market that appears to be hard to prove.

That Twitter response happens a lot with other things and is because the answer was not defined properly. So instead of “Lets Encrypt” a statement such as “Use a Lets Encrypt certificate.” Not everyone knows about SSL/TLS means other than it is a certificate required for secure websites. They don’t know how it works, etc or the names behind them. Hence why we are the UK saw advertising to the general public by the likes of, if IRC, Symantec and GoDaddy did it indirectly by their Webhosting television campaign. There are many web developers who only know that they need a certificate and not a lot more.

I personally do not have a lot of faith in the higher value and priced certificates or the claimed insurance benefits. In most cases the Lets Encrypt certificate will suffice. However a bank, government, utility company, etc is likely to want everybody to have general respect for their security so will go for a paid certificate. So they may have used a Symantec one that is, in my opinion,virtually in the junk scenario these days and will take a lot of effort to recover. And though there are web hosters such as Rochen that work with Lets Encrypt, there are still those that see there income dwindling and do everything to dissuade or prevent the use of non paid certificates. I have shared hosting with Arvixe for testing purposes and they also want to be paid for certificates, but I put up with manually every three months authenticating and installing a certificate. However for production that is not sensible so you then have to use somebody that allows Let’s encrypt with automaic renewals or pay for one. And I started using ZeroSSL when it first came on-line and have continued to. The guy or guys behind that need a big slap on the back.