16

You remember how much we got milked before LetsEncrypt came to our rescue?

Comments
  • 5
    Just a low $99.95/year for digital pierce of mind..... god bless LetsEncrypt.

    I still prefer something more "main stream" for e-commerce though, but for everything else there's LE!
  • 4
    If you use let's encrypt for any commercial product I have bad news for you.

    Anyone remember what happens when a trusted CA is no longer trusted?

    Take a quick Google on Symantec SSL certificates 2017.

    I use LE certs on my personal sites and apps, but I would NEVER use them for commerical or enterprise solutions.
  • 1
    @sariel what would you use for commercial apps?
  • 1
    @C0D4 what’s one example of a “main stream” cert provider and why would you choose them particularly for e-commerce apps?
  • 1
    @gymnasium outside of the cloud providers, I used to use Comodo. Most websites today only use DV based certs, this is fine for most things.

    For ecommerce the SSL cert used to be and still to a degree a sign of trust, having an EV or even an OV based certificate ensures that level of trust a lot more then a standard DV cert.

    Since most companies moved to the cloud, i think the EV and OV certs are a dying breed though.

    LetsEncrypt is great for replacing the DV certs and since it auto renews it's self these days it's even better.
  • 1
    @gymnasium Digicert.

    Almost all resellers, like Symantec, use Digicert signed certs.
  • 1
    I have not seen a single serious company using LetsEnrypt. Granted they might just not know it exists. And for me the main advantage is the real auto renewal, certs aren't that expensive
  • 1
    We use it.

    @sariel and yes. This can happen to any CA.

    Even Digicert if they fuck up.

    That's the whole point of it.
  • 0
    @IntrusionCM it's about trust.

    Digicert has been around for almost 20 years.

    Let's encrypt is much shorter than that, and thus has less trust.

    I trust Digicert to continue to provide services to continue to make money.

    What money does LE make again?
  • 2
    @sariel Quite a lot.

    https://letsencrypt.org/sponsors/

    As most large companies have even larger internal networks, Let's encrypt is practically a tit for tat effort.

    Btw I won with the same argument in our company: Invest once, automate, be done or pay yearly fees - which will cost way more than the implementation of automation.
  • 0
    @IntrusionCM you won the argument and?

    Sponsorship does not equate into a valid business model. Without a working business model the product they provide cannot be trusted to stay in place.

    Also, if you're concerned with a couple hundred dollars in certificate costs per year you've got bigger problems with your budgets.

    At my current employment our infrastructure operating costs are roughly $80,000 a year for the project I work on. Certificates are .5% of that budget, and that's with .2% of costs covered for certificate maintenance.

    I get it, you don't have to pay for for any of that. But I never have to worry that the automation broke, or LE is no longer, or the CA has been compromised.
  • 1
    @sariel The CA can be compromised at any time.

    That's exactly what I'm pointing out.

    It doesn't matter which company, every company had major fuckities.

    Even Digicert can make mistakes.

    https://nakedsecurity.sophos.com/20...

    Well. That's great for your company.

    At our company we have a few hundred domains... Which drove the costs pretty high.

    Regarding failure of automation: Going down that route means you wouldn't do any automation at all. Which is dumb for the simple reason that overburdening yourself / the administration team will lead to the same thing: Human error due to being stressed out.

    If it comes down to it it doesn't matter if it's LE or DigiCert or anyone else.

    It matters more that you have a very close and sharp eye on everything.

    By everything I mean everything.

    Be it TLS CA, the automation, the humans behind the infrastructure.

    ... While having a certain level of trust.

    If you don't have it, you'll micromanage.

    If you micromanage you become exactly the thing you want to avoid: The reason for fault.
  • 0
    @IntrusionCM clearly you won your argument by default.
Add Comment