I’m a user, tho I’ve set up Linux boxes.
I DON’T understand the tech discussion here, but I thought maybe someone else would, and might want to deal with NameCheap. Or not. I don’t need help with this feature directly but thought using LE on NC would be neat. YMMV?
Joshua Vogel Julia Zemetskaya • 20 days ago
I host several sites on namecheap, and I’m considering moving them because of this ridiculous policy.
There is no logic behind the notion that a private company charging money for a service is any more secure than a transparent, publicly audited alternative.
Using a private, for-profit certificate issuing authority will cost me more annually than your hosting fees! Are you kidding me? I’d be saving money to move to one of the many dozens of hosting companies that charge comparable amounts, but let me use Let’s Encrypt.
Tell whoever is in charge that this is an idiotic business decision, and that you’ve got at least one really annoyed customer here.
Julia Zemetskaya Mod Joshua Vogel • 18 days ago
Thank you for your feedback on this matter. We do understand your concerns for sure.
Though we believe increased web security is a good thing, we also think that using certificates from free providers can get more risk and uncertainty into your business.
Additionally, we would like to draw your attention to several disadvantages and drawbacks of Let’s Encrypt certificates:
No OV/EV support or possibility (no possibility to issue a certificate with medium or high assurance and user trust level);
No Windows/IIS support for now (impossible to issue a certificate on IIS/MSX environment);
Insufficient level of domain validation and the absence of brand validation ( All publicly trusted CAs are flagging the certificates containing IT, financial and other public words, brands etc for additional security checks, which is not applicable for LE.)
Multiple machines hosting the same name can’t get a separate cert for each machine ( in a nutshell, it is not possible to reissue the certificate, makes the server vulnerable for DROWN attack).
No policy on automated blacklists: once you are blocked by the system (for hosting malware) you cannot get a new cert for some period of time.
Cipher suite configuration is still manual (the certificate installation is automated, all other settings are manual).
Root access needed to install and run ACME-script. Indeed, some plugins can be installed on shared servers, still they do require at least sudo-user access (due to the fact that for certificate installation “httpd” process should be reloaded, which cannot be done by non-sudoer). Users with “jailed” access (non-sudo) do not have rights within Linux shell for such operations.
Script is able to overwrite server configs (such practice is considered insecure due to ability of script to upload, execute, write and read system files, which exposes the server and kernel for multiple vulnerabilities).
No wildcard support (impossibility to issue a wildcard certificate that can cover 1 domain and all same-level subdomains).
Exposing the private key to third-party (it is considered as insecure practice, as once the private key is compromised, it is relatively easy to strip HTTPS session and sniff data within decrypted channel).
Multiple vulnerabilities of ACME protocol and attacks on it ( for example, MitM-attack on integrity check, signature reuse on ACME-connection itself, DNS injections, DNS attacks etc. More info about that can be found in multiple sources, e.g: https://tools.ietf.org/html… , https://www.agwa.name/blog/… , https://github.com/letsencr… etc . )
Impossibility of adding custom or server-specific OIDs (object identifiers) SSL certificates ( as LE PKI is cross-signed, it is not possible to alter it within given restrictions).
Validity period (for LE certificates - only 90 days, for all trusted certificate provides - up to 39 months).
With all that being said, it is still possible to install LE certificate on our shared server via SSL/TLS manager >> Manage SSL Sites if you have a certificate, private key and CA bundle codes in separate files.
Additionally, it is possible to install LE auto-installer on VPS and dedicated servers.
Since the nature of shared and reseller hosting implies having a significant number of independent customers’ accounts on the same server instance, we cannot put at risk our other clients by enabling not fully secure technology.