Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
That's how someone got an EV cert for Stripe (USA).
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
Yes. A green address bar isn't meaningful verification UI. That is why no other platform uses green bars for verification.
> Buypass AS has a new owner. Total Specific Solutions (TSS) took over ownership with effect from October 16, 2024.
[0]: https://www.buypass.com/news/change-of-ownership-in-buypass-...
yogorenapan•5mo ago
Kwpolska•5mo ago
nickf•5mo ago
michaelt•5mo ago
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
crote•5mo ago
Mid-term, it'll reduce the risk of noncompliance, as large customers can no longer demand that you delay revocation. CAs no longer have to fear customers switching to their competition.
Long-term, it'll reduce their operating cost, as it is no longer necessary to handhold customers through the certification issuance and installation process. You just give them a URL, id, and key to enter a single time, and it should Just Work.
The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV. Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
michaelt•5mo ago
It doesn't matter how far you reduce your operating cost, if your revenue falls to zero.
> The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV.
Hah, that's a good one.
Sure, google.com and microsoft.com and amazon.com and godaddy.com and letsencrypt.org and facebook.com and twitter.com and cloudflare.com and coinbase.com and and visa.com and entrust.com don't need EV certificates... but you do.
ezconnect•5mo ago
nailer•5mo ago
Google removed all the verification markers from chrome in September 2019 - because they investigated them and nobody understands a green box means verification.
Yes, the obvious answer is: make the verification UI look like every other verification UI, but they didn’t did test that. The chrome team, specially ryan sleevi, thinks regular people should understand DNS. You know - apple.com.store/ipad isn’t Apple, and that withgoogle.com is actually Google.
o_m•5mo ago
matharmin•5mo ago
mattashii•5mo ago
See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698936, https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
michaelt•5mo ago
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
makkes•5mo ago
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
michaelt•5mo ago
While I agree there are an astonishing number of CAs listed, it seems to me there's no representation of website operators, or website users.
nubinetwork•5mo ago
Bad_CRC•5mo ago
rvnx•5mo ago
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
actionfromafar•5mo ago
hdgvhicv•5mo ago
That’s does not mean they wouldn’t shut it down.
ayende•5mo ago
crtasm•5mo ago
throw0101c•5mo ago
* https://github.com/SSLMate/certspotter
* https://certificate.transparency.dev/monitors/
rvnx•5mo ago
Maybe <5% of devops are checking in reality (and this is very generous); even if they watch it is very difficult to spot since the CA is the same, and short-lived certificates (so very normal that they renew).
crt.sh is even answering 502 Bad Gateway, though it's supposed to be the most used tool to check CT logs in the world.
So maybe, true for few paranoid geeks who usually don't have any information of interest anyway, but not for the 99% others.
The big websites are openly sharing data to govs, so they are backdoored by definition, and they don't need to justify anything.
ayende•5mo ago
And the whole _point_ of the cert transparency log is that it only take _one_ such instance to ruin the credibility of a CA.
The fact that you do that in the public, and that it is _forever_, make it very hard to do in the shadows.
ayende•5mo ago
They discovered that because they were monitoring the CT logs. And they were concerned about trademark issues. It ended up being one of the teams in "company-xyz" that had opened an account (under the company name, of course).
But that is just a small note that people _are_ monitoring those.
darkwater•5mo ago
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer. Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox? I'm genuinely asking.
toomuchtodo•5mo ago
attentive•5mo ago
fpoling•5mo ago
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
kedihacker•5mo ago
zenmac•5mo ago
hdgvhicv•5mo ago
bityard•5mo ago