Namecheap Response to Let's Encrypt

I asked Namecheap to implement Let’s Encrypt. I got this response.

"The Let’s Encrypt SSL script can be tested with Namecheap hosting. But, unfortunately, since this is a third-party product, we might not be able to troubleshoot any issues on the way.

Additionally, we would like to emphasize that free SSL certificates are not subjects to any business or company validation, therefore it is not recommended to consider them for any business entity."

Wondering what Let’s Encrypt Thoughts are on this?

Confused as to why they don’t automatically support it, as they support https://www.eff.org/ and https://www.fightforthefuture.org/.
Posting this as a reply to the community web hosting list also.

Hi @hib,

Let’s Encrypt only offers DV certificates, not OV or EV certificates. That means that the certificates don’t include verified information about the legal identity of the organization that uses them. (Let’s Encrypt doesn’t have an automated way to check that information; it would have to be checked offline, which would cost money.) However, the cryptographic security of the user’s connection to the site is the same.

Some businesses may feel that an OV or EV certificate is better for their needs. As far as I know, it’s not required by any regulations and there isn’t strong evidence that most end-users regard it as more trustworthy or commonly check the identity information. Quite a lot of businesses have been OK with our DV certificates for their business sites so far. In particular, a DV certificate is OK under the PCI rules for a site or service that accepts credit card numbers.

3 Likes

It’s true that Let’s Encrypt does not issue OV/EV certs, which many people consider important for business domains (particularly financial institutions). Rather than verifying the identity of the domain owner, Let’s Encrypt validates only that the person requesting the cert has control over the domain(s) for which the cert is requiested. However, many major online business do just fine with DV certs, of the same sort that Let’s Encrypt issues–Amazon for one, Google for another.

1 Like

11 Likes

Hmmm… Just a little hypocrisy?

1 Like

Will I get a wonderful green bar with letsencrypt?

No, the green bar is only with EV certificates. What you’ll see, assuming you configure your site correctly, is the same thing you see here. For me, that’s a green padlock, but browsers differ on that presentation.

So a green padlock is different to the greenbar?

Yes. For an example of the green bar, take a look at the screenshot that @jmorahan posted above–it not only has the green padlock, it also has the name of the company in green. In some browsers (IE, for example), the whole background of the address bar will be green with that kind of cert.

1 Like

Interesting! Didn’t know that. Thanks for clarification. I just finished talking with namecheap customer support. Apparently I have a free ssl cert that I didn’t know about. I’ll probably use that for a year, then when the year has finished, I’ll use letsencrypt. BTW, for additional reading. There’s a lot of talk about letsencrypt in the comments below namecheap articles. See comments below these articles. https://www.namecheap.com/support/knowledgebase/article.aspx/9387/2218/how-do-i-install-an-ssl-using-your-cpanel-plugin
and
https://www.namecheap.com/support/knowledgebase/article.aspx/9927/2218/working-towards-a-more-secure-web-with-cpanel-version-1162

This image (from here) nicely illustrates the difference between the green padlock (DV/OV) and the green bar (EV). Although browsers do change how they display things from time to time.

2 Likes

There’s a strong possibility browsers will phase out the green bar for EV, displaying it in the same way as DV and OV certificates are displayed now.

Some browsers have a focus on UX and not taking up UI space on unnecessary information.

And Ian Carroll’s shell corporation Stripe, Inc [US] of Richmond, KY caused a bit of a stir.

(You might have heard of that other company, Stripe, Inc [US] of Wilmington, DE, based in San Francisco, CA.)

6 Likes

Hi @hib , I use LetsEncrypt on all of my sites that I have hosted with NameCheap, except for the WordPress Multisites (multiple domains tied to the same network). All of my sites are WordPress.

LetsEncrypt works well. However, because I am on a shared server the auto-install doesn’t work for me for me, so every 90 days I just install manually via cPanel - very easy to do.

1 Like

Ah thanks for this. I’m also on a shared server so looks like I will have to do the same when my free year runs out.

Maybe a little more information about the types of certificates would be helpful at the letsencrypt-website?
e.g.


… and yes, it would be nice to get a certificate with included (& verified) name of the using person, group or initiative – preferably at a reasonable price-tag for us poor normal beings :wink:

As far as I understand, the focus of Let’s Encrypt is on full automation, on the CA side and on the requesting side. The validation of an EV certificate cannot be done automatically. There are even validation schemes which require a telephone call to the requesting party.

Namecheap are protecting their business, free is not there thing.
Amazon.com don’t have an EV certificate.
Google.com don’t have an EV certificate.

EV certificates isn’t needed, except if you want to…

@marcomsousa: Fully agree to this.

… but maybe sometimes someone will find a way to satisfy this special wishes in an until now unknown easy way? … perhaps only a question of figuring out how much people or little organizations will be able or willing to pay for such a “luxury service”. :wink:

Whether they’re “needed” is really up to (1) the person/organization who wants the cert, and (2) whoever their customers are. There is value in validating that Bank of America Corp. is actually who’s requesting the cert for bankofamerica.com, rather than (for example) someone else who managed to get the domain before the Internet got big. So, in the US at least, most financial institutions use EV certs for their websites (though one of my credit unions doesn’t). How much that value is, is a separate question, but to many people and organizations, it’s non-zero.

On the other hand, as you point out, some major Internet businesses do just fine with DV certs.

An existing thread discusses LE's plans (or lack thereof) for Extended Validation: