Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
yogorenapan•2h ago
Kwpolska•2h ago
nickf•2h ago
michaelt•2h ago
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
crote•1h ago
Mid-term, it'll reduce the risk of noncompliance, as large customers can no longer demand that you delay revocation. CAs no longer have to fear customers switching to their competition.
Long-term, it'll reduce their operating cost, as it is no longer necessary to handhold customers through the certification issuance and installation process. You just give them a URL, id, and key to enter a single time, and it should Just Work.
The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV. Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
michaelt•1h ago
It doesn't matter how far you reduce your operating cost, if your revenue falls to zero.
> The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV.
Hah, that's a good one.
Sure, google.com and microsoft.com and amazon.com and godaddy.com and letsencrypt.org and facebook.com and twitter.com and cloudflare.com and coinbase.com and and visa.com and entrust.com don't need EV certificates... but you do.
nailer•1h ago
Google removed all the verification markers from chrome in September 2019 - because they investigated them and nobody understands a green box means verification.
Yes, the obvious answer is: make the verification UI look like every other verification UI, but they didn’t did test that. The chrome team, specially ryan sleevi, thinks regular people should understand DNS. You know - apple.com.store/ipad isn’t Apple, and that withgoogle.com is actually Google.
o_m•2h ago
matharmin•2h ago
mattashii•1h ago
See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698936, https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
michaelt•1h ago
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
makkes•1h ago
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
michaelt•1h ago
While I agree there are an astonishing number of CAs listed, it seems to me there's no representation of website operators, or website users.
nubinetwork•1h ago
Bad_CRC•1h ago
rvnx•1h ago
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
actionfromafar•51m ago
hdgvhicv•34m ago
That’s does not mean they wouldn’t shut it down.
ayende•26m ago
crtasm•10m ago
darkwater•11m ago
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer. Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox? I'm genuinely asking.
attentive•1h ago
fpoling•1h ago
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
kedihacker•34m ago
zenmac•45m ago
hdgvhicv•33m ago