Namecheap Response to Let's Encrypt

It’s true that Let’s Encrypt does not issue OV/EV certs, which many people consider important for business domains (particularly financial institutions). Rather than verifying the identity of the domain owner, Let’s Encrypt validates only that the person requesting the cert has control over the domain(s) for which the cert is requiested. However, many major online business do just fine with DV certs, of the same sort that Let’s Encrypt issues–Amazon for one, Google for another.

1 Like

11 Likes

Hmmm… Just a little hypocrisy?

1 Like

Will I get a wonderful green bar with letsencrypt?

No, the green bar is only with EV certificates. What you’ll see, assuming you configure your site correctly, is the same thing you see here. For me, that’s a green padlock, but browsers differ on that presentation.

So a green padlock is different to the greenbar?

Yes. For an example of the green bar, take a look at the screenshot that @jmorahan posted above–it not only has the green padlock, it also has the name of the company in green. In some browsers (IE, for example), the whole background of the address bar will be green with that kind of cert.

1 Like

Interesting! Didn’t know that. Thanks for clarification. I just finished talking with namecheap customer support. Apparently I have a free ssl cert that I didn’t know about. I’ll probably use that for a year, then when the year has finished, I’ll use letsencrypt. BTW, for additional reading. There’s a lot of talk about letsencrypt in the comments below namecheap articles. See comments below these articles. https://www.namecheap.com/support/knowledgebase/article.aspx/9387/2218/how-do-i-install-an-ssl-using-your-cpanel-plugin
and
https://www.namecheap.com/support/knowledgebase/article.aspx/9927/2218/working-towards-a-more-secure-web-with-cpanel-version-1162

This image (from here) nicely illustrates the difference between the green padlock (DV/OV) and the green bar (EV). Although browsers do change how they display things from time to time.

2 Likes

There’s a strong possibility browsers will phase out the green bar for EV, displaying it in the same way as DV and OV certificates are displayed now.

Some browsers have a focus on UX and not taking up UI space on unnecessary information.

And Ian Carroll’s shell corporation Stripe, Inc [US] of Richmond, KY caused a bit of a stir.

(You might have heard of that other company, Stripe, Inc [US] of Wilmington, DE, based in San Francisco, CA.)

6 Likes

Hi @hib , I use LetsEncrypt on all of my sites that I have hosted with NameCheap, except for the WordPress Multisites (multiple domains tied to the same network). All of my sites are WordPress.

LetsEncrypt works well. However, because I am on a shared server the auto-install doesn’t work for me for me, so every 90 days I just install manually via cPanel - very easy to do.

1 Like

Ah thanks for this. I’m also on a shared server so looks like I will have to do the same when my free year runs out.

Maybe a little more information about the types of certificates would be helpful at the letsencrypt-website?
e.g.


… and yes, it would be nice to get a certificate with included (& verified) name of the using person, group or initiative – preferably at a reasonable price-tag for us poor normal beings :wink:

As far as I understand, the focus of Let’s Encrypt is on full automation, on the CA side and on the requesting side. The validation of an EV certificate cannot be done automatically. There are even validation schemes which require a telephone call to the requesting party.

Namecheap are protecting their business, free is not there thing.
Amazon.com don’t have an EV certificate.
Google.com don’t have an EV certificate.

EV certificates isn’t needed, except if you want to…

@marcomsousa: Fully agree to this.

… but maybe sometimes someone will find a way to satisfy this special wishes in an until now unknown easy way? … perhaps only a question of figuring out how much people or little organizations will be able or willing to pay for such a “luxury service”. :wink:

Whether they’re “needed” is really up to (1) the person/organization who wants the cert, and (2) whoever their customers are. There is value in validating that Bank of America Corp. is actually who’s requesting the cert for bankofamerica.com, rather than (for example) someone else who managed to get the domain before the Internet got big. So, in the US at least, most financial institutions use EV certs for their websites (though one of my credit unions doesn’t). How much that value is, is a separate question, but to many people and organizations, it’s non-zero.

On the other hand, as you point out, some major Internet businesses do just fine with DV certs.

An existing thread discusses LE's plans (or lack thereof) for Extended Validation:

IMHO, OV and DV certificates have equal value. The extra validation required for OV certificates makes no difference because the average website visitor can’t tell the difference between OV and DV certificates.

You literally need to read the baseline requirements from the CA Browser Forum to figure out the difference.

Firefox, Chrome, IE, and Edge all have identical displays for OV and DV certificates. AFAIK, the only way to tell the difference is to open the certificate and look at it. Then you can use these simple (/s) rules:

  • If the organization name is NOT set, it’s a DV certificate. Firefox is the easiest browser to check this with by clicking the padlock, clicking the right arrow, clicking ‘more information’, clicking ‘view certificate’, and looking at the ‘Organization (O)’ property. In Chrome you can click padlock, click the ‘valid’ link, click the ‘details’ tab, select the ‘subject’ field, and look for the ‘O=’ property.

  • If the organization name IS set, it can be either an OV or an IV certificate, so you need to check the certificate policies to tell the difference.

  • The certificate will have a policy identifier indicating the validation type:

    • 2.23.140.1.2.1 = DV
    • 2.23.140.1.2.2 = OV
    • 2.23.140.1.2.3 = IV

How many blogs have you read that claim there are 3 types of validation even though there are actually 4 (DV, OV, IV, EV)?

So, if your site visitors:

  • Click the padlock.
  • Open the certificate.
  • Navigate to the details panel.
  • Navigate to the certificate policies.
  • Know that a certificate with a policy identifier of 2.23.140.1.2.2 is organization validated.
  • Understand the differences in validation requirements between DV, OV, IV, and EV.
  • Are only willing to use your site if it’s got an OV certificate instead of a DV certificate.

Then an OV certificate might have value over a DV certificate. I say might because it takes 4 clicks into the certificate every time you visit a site to check the subject’s organization name or the certificate’s policies to guaranteed it’s not a mis-issued DV certificate.

You could also rely on visitors knowing that some certificate authorities only issue OV and EV certificates, but I doubt many non-technical people know any certificate authorities, let alone their policies on issuing certificates.

And, none of that even gets onto the topic of competence. Buying an OV or even an EV certificate doesn’t auto-magically make you competent.

TLDR; No one can tell the difference between DV and OV and, even if they can, identity validation doesn’t improve technical competency, so it’s possible for a DV site to be (technically) more trustworthy than an OV (or even an EV) site.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.