back to article Free HTTPS certs for all – Let's Encrypt opens doors to world+dog

The Let's Encrypt project has opened to the public, allowing anyone to obtain free TLS certificates and set up HTTPS websites in a few simple steps. It's a major leap forward in encrypting the world's web traffic, keeping people's information and browser histories out of the hands of eavesdroppers and and other miscreants. …

  1. Zog_but_not_the_first Silver badge
    IT Angle

    So...

    Why's The Reg still holding out?

    1. diodesign (Written by Reg staff) Silver badge

      Re: So...

      Adverts. Our media server is HTTPS'd. When our ad networks become HTTPS-friendly, so will the rest of the site. Otherwise our pages will have mixed content and that's no good.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        It looks like you use doubleclick? That is already ssl enabled and can be used with a protocol-relative link.

      2. BillG Silver badge
        Thumb Up

        Re: So...

        Why doesn't El Reg just use HTTPS for forum/comments login, then?

        1. diodesign (Written by Reg staff) Silver badge

          Re: So...

          Yes, it would be nice if {accounts|forum}.theregister.co.uk were TLS'd. Thing is, the cookie is carried over to the www site too, it appears. Our techies are working are hard as they can.

          As for the ad networks – we use a mix of them. Not all of them do HTTPS.

          Believe me, we do want to get encrypted.

          C.

          1. Gene Cash Silver badge

            Re: So...

            Thanks at least for the honest and open answer...

      3. Adam 52 Silver badge

        Re: So...

        Is anyone else getting intermittent certificate validation errors from m.theregister.co.uk?

        I'd assumed they were dodgy adverts but if the ad network isn't https that doesn't make sense.

      4. something_or_another
        FAIL

        Re: So...

        Lazy FUCKS!!! Fuck your "ad" networks. We're talking about credential exposure. Cameron holding your balls?? I block your ad network(s) - Next objection?

    2. Marco Fontani

      Re: So...

      Explained in another thread, but for a TLDR: ensuring the infrastructure can work under TLS, mainly - not "only" ads.

      True, we'll likely get a smaller pool of ads able to be served under TLS, but that's not all that important.

      Tech-wise, it's important that the user experience doesn't break if people use things like HTTPS Everywhere, or if one day we pull the HSTS trigger. And since a lot of commentards are the tech-savvy kind which try to - and do - break things or do unconventional stuff, we ought to be very well prepared.

      If it were as easy as pushing a button, we'd have done it donkeys ago.

      Thus, Soon®

    3. Anonymous Coward
      Anonymous Coward

      Re: So...

      How about instructions for IIS seeing as ~30% of websites use it?

    4. Zog_but_not_the_first Silver badge
      Thumb Up

      Re: So...

      Thanks for clarifying.

    5. something_or_another

      Re: So...

      I get down-voted for the question. LOL

  2. Quortney Fortensplibe
    Thumb Up

    At Last!

    Been waiting for this to go public, ever since i first read about in on El Reg, many moons ago. T'will save me having to explain to the couple of people I host sites for that the "self signed certificate" error they see when logging into WordPress admin [I know!] are nothing to worry about.

    Off to try it now.

    1. Stuart 22

      Re: At Last!

      Don't get too excited. Great in theory but most of us use control panels to administer our websites. They already have facilities to manage cerificates and those will mostly not match up with the client here which has the deluded belief that it, and it alone, should control your apache configuration files. It don't and the configuration file will likely be overwritten by your control panel when you do something else - breaking your https installation. That basically KOs your sites.

      You can do it manually but then you have remember to renew the certificate every 60 days which makes this somewhat more of a bind(!) than the existing free providers albeit my favourites are Russian & Chinese.

      When your chosen control panel integrates Let's Encrypt ito its system it will be great but until then it may be best to wait.

      1. This post has been deleted by a moderator

        1. -v(o.o)v-

          Re: At Last!

          It is not that simple - often it is not a question of skills. Often the hosting clients demand a control panel so they can create mailboxes etc. by themselves.

  3. Nate Amsden

    wonder how good mobile support is

    I have a wildcard cert through COMODO for my colo'd server, runs maybe $150 a year or something(the cheapest one I could find) I forget, works fine for desktop but my android devices don't like it, so I have to install the cert on them to get them to trust it. There is a more expensive wildcard cert option through COMODO last time I checked which I bet had mobile support I just didn't want to pay that for my personal server (and I didn't want to use self signed since I give https links to other people and don't want the warnings to pop up etc)

    So hopefully this service has a CA that is mobile-trusted.

    1. koolholio

      Re: wonder how good mobile support is

      Yes you will find there is a difference between mobile and desktop certificate support and method. I also doubt the CA is on the 'default' trusted CA's list for every device... so you may still find issues

    2. jonathanb Silver badge

      Re: wonder how good mobile support is

      StartSSL is $59.90, and has no problems with iOS and Android.

    3. WibbleMe

      Re: wonder how good mobile support is

      Android wont like it because of your Cyper set-up on your server you need to sort that out, searching on Google for your server type ie Centos SSL Cipher Suite will yield the results you need. This site will show what works with your current SSl https://www.ssllabs.com/ssltest/

    4. Bill Michaelson

      Re: wonder how good mobile support is

      I tried Firefox, Chrome, Dolphin and the native browser on my CM12.1 Android. All worked with no certificate complaints.

    5. Anonymous Coward
      Anonymous Coward

      Re: wonder how good mobile support is

      > I have a wildcard cert through COMODO for my colo'd server, runs maybe $150 a year or something(the cheapest one I could find) I forget, works fine for desktop but my android devices don't like it

      Are you sure you don't need to install an intermediate CA cert in the server?

  4. Novex

    Does this work for all subdomains, i.e. me.mydomain.com, me2.mydomain.com, etc, as well the main domain (which I presume is www.mydomain.com)?

    1. A Known Coward

      In short yes if those domains are configured on the server, it doesn't create a wildcard certificate.

      1. Anonymous Coward
        Anonymous Coward

        What about Exchange and Lync multi domain certs ??

        1. DougMac

          It is possible to run Exchange with 4 separate certs, instead of one cert with 3 SANs. You just have to make sure to load all certs and assign each cert to its own proper function. So much more work, but should be scriptable in ps.

          Although I don't know lets encrypt schedule for windows client, I'm sure it is being worked on.

          1. TheVogon Silver badge

            "It is possible to run Exchange with 4 separate certs,"

            No it isn't. For your OWA / CAS servers you need multiple SANs on a single cert.

  5. PacketPusher
    Big Brother

    Windoze

    Looking at the website, it appears that there is only a Linux client. Those of us required to use Windoze appear to be out of luck.

    1. LDS Silver badge

      Re: Windoze

      It looks the client is written in Python, so it could run on Windows also - just it doesn't look to support IIS yet, and I wonder if it would work with Apache on Windows.

    2. Frumious Bandersnatch Silver badge

      Re: Windoze

      Those of us required to use Windoze appear to be out of luck

      Cygwin might work, I guess, but easiest is probably to download a small live Linux distro and run the script in there. I don't suppose the script will produce configs for IIS or whatever you're running though. Still, you should be able to manually install the cert.

      Anyway, some sort of live Linux distro (like Knoppix, especially) is a good tool to have handy even in an all-Windows shop. Using it to reset a forgotten admin password or removing a corrupt page file are a couple of applications that come to mind.

      1. Sgt_Oddball Silver badge

        Re: Windoze

        Which is all well and good but from their own words they wanted to make the whole process as simple and straightforward as possible. Installing a bunch of extras including unfamiliar languages isn't ideal nor line with how easy they're making it out to be.

        (Also it's a tad difficult to run a live cd on a server in a bit farm without direct access to it or annoying customers with downtime)

        1. Frumious Bandersnatch Silver badge

          Re: Windoze

          @Sgt_Oddball:

          I suggested a live CD so that you don't have to install anything. Maybe some packages need to be downloaded (into RAM), so it might take longer, but I'm sure it's all in the READMEs.

          As for doing it on a server: don't! Stick a USB key into your laptop or whatever spare PC is to hand, boot from it, do the stuff needed to generate the cert and then copy it onto the secure server. It's not like you're going to be running this stuff (or any other configuration experiments) on a live production server, is it?

        2. Hans 1 Silver badge

          Re: Windoze

          Why would anybody want to run a web server on Windows ? It is open source, go port it ;-).

          1. Anonymous Coward
            Anonymous Coward

            Re: Windoze

            "Why would anybody want to run a web server on Windows ?"

            About 1/4 the risk of being hacked versus a Linux system as it's relatively secure out of the box, and is much easier to admin / manage, has better performance for most uses on the same hardware with the latest Windows versions and has far simpler corporate integration.

  6. koolholio

    Devils advocate

    That's all great that they're a free CA... It's not at all expensive to set up a CA... however, how long will the CA last? and more importantly is it 'trusted' by the majority? How long until an abuse of their 'supposed' secure crypto?

    1. AdamWill

      Re: Devils advocate

      "and more importantly is it 'trusted' by the majority"

      https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html

    2. Robert Grant

      Re: Devils advocate

      'supposed'

      The quotes confuse and anger me.

  7. WatAWorld

    What can go wrong?

    Am I correct that this means handing out HTTPS certificates without verifying true identity, and without identifying ownership of the domain?

    Customers use HTTPS not just for encryption but to identify that they are on an organization's legitimate website (bank, government, etc.), and not some imposter website.

    If I'm correct in understanding that these certificates are being handed out without identity verification then public trust of HTTPS will soon be in jeopardy.

    1. DaLo

      Re: What can go wrong?

      Oh come on, you can't really expect anyone to trust a root CA if it handed out any domain certificate to anyone? This isn't a back street operation.

      If it is going to get allowed onto the trust list of all the major vendors then it has obviously got domain validation. It won't have EV where it checks your company, just that the domain is authorised.

      See here if you want the technical details: https://letsencrypt.org/howitworks/technology/

    2. Bronek Kozicki Silver badge

      Re: What can go wrong?

      Let's Encrypt verifies ownership of hostname by exchanging plain HTTP messages with content / paths unique enough, against the server you want to install the certificate on, and using the hostname you want the certificate for. So, either you are permitted to run your own script in the context of webserver to allow the exchange to succeed, or you are not. In the former case you are granted certificate for hostname (not organization, it is not part of the exchange, nor is in the certificate). In the latter case you cannot get the certificate.

      1. LDS Silver badge

        Re: What can go wrong?

        It takes very little to use "very alike" names on servers you fully control and get a certificate for it using Let's Encrypt, I'm afraid.

        The problem is "encryption" is just a proper subset of "security". There are other critical needs which Let's Encrypt doesn't fulfill - the main one is true "authentication", which is a basic features of certificates - they are called that name because they are more than "encryption keys".

        I guess I'll remove Let's Encrypt CA from my systems because I will want to be notified of any cert from them.

        1. A Known Coward

          @LDS

          I'm afraid you don't seem to know how the CA system works. I can get a certificate for theregisster.co.uk from every single one of the major CAs if I possess that domain.

          If that causes you concern then you should remove _ALL_ CA root certs from your browser.

          1. Adam 1 Silver badge

            Re: @LDS

            > I can get a certificate for theregisster.co.uk from every single one of the major CAs if I possess that domain.

            Except the existence of a padlock icon would be a dead giveaway....

            1. A Known Coward
              Pint

              Re: @LDS

              > Except the existence of a padlock icon would be a dead giveaway....

              Have an upvote and a beer on me.

        2. fcheung

          Re: What can go wrong?

          You can get ssl certificates from many resellers (eg gandi) with the only requirement being proof that you control the domain by hosting a specific file at a specific path or adding a specific DNS record. In that respect lets encrypt is no different (other than the automation)

    3. brotherelf

      Re: What can go wrong?

      Well, domain certificates have never verified identity well -- the CAs are not qualified to make legal trademark decisions, for example. (Who is to say that Banko Famerica is not a perfectly common name in Whateverland?)

      And as to control of the domain: I've not looked at the protocol yet, but I'm assuming you need to have DNS records in place and pointing to the IP the client is running on for every domain name you want in the certificate at the very least. (People with load balancers are big enough to pay, I'd guess.)

      Still, the possible implications for shared hosting and dynamic dns are interesting. Time to pin your certs, I guess.

  8. sjsmoto

    But what about that https patent troll?

    http://www.theregister.co.uk/2015/12/01/cryptopeak_sues_/

    1. Steve Davies 3 Silver badge
      Trollface

      the HTTPS Patent Troll...

      Do you honestly think thst they are going to come after every individual who runs a two bit website from their Bedroom? (errr like me)

      I hardly think that we, the great unwashed are high on their target list.

      1. gerdesj

        Re: the HTTPS Patent Troll...

        "I hardly think that we, the great unwashed are high on their target list."

        ... or even within the jurisdiction of a Texan court, which is where they are doing the deed.

      2. Anonymous Coward
        Anonymous Coward

        Re: the HTTPS Patent Troll...

        "Do you honestly think thst they are going to come after every individual who runs a two bit website from their Bedroom? (errr like me)"

        Do you honestly believe that spammers are going to come after every individual with an e-mail inbox?

        1. Vector

          Re: the HTTPS Patent Troll...

          "Do you honestly believe that spammers are going to come after every individual with an e-mail inbox?"

          Why, yes, I believe spammers will go after every inbox for which they can get an address. But, then, spam is practically free and doesn't involve voluminous court filings, so there ya go.

          I'm amazed at how many banks need to contact me about security issues with my account that must be addressed immediately! If only I could remember when I established those accounts...

          1. anonymous boring coward Silver badge

            Re: the HTTPS Patent Troll...

            If in doubt, click on that link, enter your password, and install that FREE System Threat Scanner! So simple, granny could do it.

    2. Anonymous Coward
      Anonymous Coward

      I think everyone is missing their sarcasm detectors in this thread...

  9. Mike VandeVelde
    Meh

    "browser histories out of the hands of eavesdroppers"

    "browser histories out of the hands of eavesdroppers" - How does that work then? I was under the impression that https secures the content, but the requests still have to fly around for everyone to see do they not?

    Plus anyone could always have created their own certificates for free any time they wanted to, the news here is that these ones are trusted by default by browsers. Hands up who actually feels secure when your browser automatically trusts a certificate? Tumbleweeds... We've all heard how these certificate authority operations more or less function. Now handing out "trustworthy" certificates to anyone with an email address helps the "web of trust" how exactly???

    I want to be happy about this because of the names involved but... Maybe they are just poking fun at a ridiculous situation?

    1. jonathanb Silver badge

      Re: "browser histories out of the hands of eavesdroppers"

      The DNS lookup is a separate request, and they may or may not have access to that. If they are looking at the https request, they only know the IP address, not the individual website or page on that website, though knowing the IP address and the size of the file coming back may give them some clues as to what you are doing.

    2. A Known Coward

      Re: "browser histories out of the hands of eavesdroppers"

      Requests are encrypted - the only information an eavesdropper can obtain is the IP address of the server - not the pages you visit etc.

      They only hand out certificates to people who can show possession of the domain associated with the certificate. The issues experienced in the past were with CAs who handed out certificates without checking that you actually controlled the domain in question. I fail to see why all the negativity ...

  10. schafdog

    Been using it in beta for some time

    While I haven't read the protocol, it seem solid enough in my eyes. You need to own/pwn the domain and the server the IP resolves to.

    And damn it's easy. And with the possibility to automate, it's a huge step up from another (cacert.org) which also was free but required work every 6 months, and wasn't in the browser/mail clients key chains.

    I am mostly using it for mail encryption.

    1. Dan 55 Silver badge

      Re: Been using it in beta for some time

      Well this requires work every three months...

  11. This post has been deleted by its author

    1. Tom Chiverton 1

      Re: Not quite there yet

      That combination works OK here. Maybe your sever isn't sending the intermediate certificate.

  12. Martin Summers Silver badge

    Ha! That explains why my Symantec rep was so keen to speak to me about a new contract with better pricing.

  13. trenchfoot

    startcom

    Does this differ significantly from the service StartCom have offered for some years (and who I use for a few small domains)?

    I've not found any major devices or browsers without their CA cert installed as a trusted root, but the process for getting the certs - which you have to renew annually or half-annually - is a bit more of a pain than this one sounds.

    1. A Known Coward

      Re: startcom

      Yes this is different from startcom - the biggest difference is that they won't charge you to revoke or re-issue a certificate. They also automate the process including renewals.

      Don't underestimate the automation either, this includes auto-configuring the server to use a strong setup, no weak default ciphers or protocols etc. The configurations will adapt as new ciphers emerge and old ones are deprecated. Most sites operating with encryption now are still using default configurations which render them insecure since many admins assume that simply having the certificate is enough.

  14. Anonymous Coward
    Anonymous Coward

    They must be Joking!

    First I read Kazakhstan want's to give people Certificates that they can SSL-Strip and now you've got another site, offering them similar for FREE under the banner of the EFF.. Do people understand how SSL-Stripping actually works and why it's a huge security problem?

    (Thought-Crime)

    You can't be serious, trust a third party CA?!?

    You'd have to be either.. 1> Brain Damaged or 2> Phenomenally Stupid!

    Quote 'LetEncrypt'; "and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code" (all the more reason to trust them then!) Tax free "triangle" of Love!

  15. Anonymous Coward
    Anonymous Coward

    Encryption

    It doesn't have to be complex, it just has to be secure enough to not leak side channel keys.

    RSA - sadly doesn't fall into that category ever since SSL-Strip became a popular "hackers" toy along with MD5 collision!

    Hacking the way into "Kerberos" and "SSL everywhere" with TCPCrypt that doesn't use RSA Key's is not oh so hacker friendly or ever so easy!

  16. Tim Brown 1
    Holmes

    Can I get a certificate WITHOUT running their software?

    My installation is not standard, I know exactly what to do to install certificates since at the moment I'm using a self-signed one for testing. So can I get generate a certificate without all the self-install gubbins?

    1. sysconfig

      Re: Can I get a certificate WITHOUT running their software?

      Yes you can, well sort of. You need to run the software, but you can prevent it from doing anything to your config. https://github.com/letsencrypt/letsencrypt

      A bit down the page it says you should use ./letsencrypt-auto certonly --standalone [...]

      That will seemingly not install anything. Only fetches the cert for you to do with as you please, from my understanding. (I wouldn't let some random tool meddle with my config either, but there'd always be backups and "diff" to trace the exact changes it made; plus it's open source, so probably not that hard to work out what it does)

  17. ExchangeMonkeyboy

    90 Day Expiry

    Just a quick note that these certificates have a 90 day expiration. They REALLY want you to automate and renew every 90 days. Yikes!

    1. Anonymous Coward
      Thumb Down

      Re: 90 Day Expiry

      My god, it's true: https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetimes/264

      So unless you want to manually update all your servers every 90 days (within a fairly narrow renewal window?) you'll want to install letsencrypt on all your servers as root. Or pay for your SSL certs. Or use HTTP.

      From https://community.letsencrypt.org/t/frequently-asked-questions-faq/26#topic-title :

      > Why does the Let’s Encrypt client require root privileges?

      > The Let’s Encrypt client is essentially an operating system component. Generically, it requires root privileges to bind to port 443...

      That's just BS.

      Also.. the code is too complex for a quick audit. And it's Python, one step above PHP. There'll be none of this in my OS!

      1. Malcolm Hall

        Re: 90 Day Expiry

        they actually suggest auto-renewing via cron monthly but it looks like they are working on a simple auto-renew tool after beta. At the moment for this 90 day reason i'll probably stick with startSSL which is free for a year.

      2. Tom Chiverton 1

        Re: 90 Day Expiry

        That applies to auto mode only. You can use certonly as a normal user

    2. John Robson Silver badge

      Re: 90 Day Expiry

      So renew it every month by cron - how hard can it be? Looks like a simple command to retreive a new cert, and then have a simple root script copy that into place and kick apache?

      I haven't played with this yet - but I will do once my current change freeze is over...

      I wonder if I can do wierd things with DreamHost?

      1. John Robson Silver badge

        Re: 90 Day Expiry

        Bad form replying to myself - but I don't need to do anything wierd with DreamHost:

        https://www.dreamhost.com/blog/2015/12/03/lets-encrypt-and-dreamhost/

        It should be really easy!

  18. Mr Flibble

    letsencrypt is available in packaged form in (at least) Debian experimental. I don't know if the dependencies can be satisfied on current stable, but I'd not be surprised to find that they are.

  19. Lardboy

    Cloudflare?

    "You can typically expect to pay for SSL certificates, although some authorities do offer freebies. None so far, to our knowledge, are as straightforward as Let's Encrypt's free service."

    I know it's not directly analogous, but if an https website with http2/spdy is what you're after, it's between 1 and 3 clicks and less than a minute with Cloudflare. Which is also free. Nothing to install either.

  20. bpfh Silver badge
    FAIL

    Not working for me...

    On my first attempt it's telling me that my IP address has been used to much to make requests... Either they are down or I need to change my passwords...

  21. caffewmilk

    Nice but...

    ...we can all encrypt to our hearts content and still give the keys to the NSA(or any other government agency) anyways because they're going to need them once the bad guys start exploiting this resource. HELLOOOO! Think McFly, Think!

  22. Anonymous Coward
    Anonymous Coward

    This was too easy, but I don't get it.

    What exactly did it validate and how? Yeah, DV - domain validation. So LE gave me a cert because it thinks it proved that I legitimately control x.com because it did what, exactly?

  23. RonWheeler

    Meh

    If you're at work, the IT team have stuck a man in the middle cert on your PC and you can do nothing about it unless you're in the hypocrite brigade IT the IT department. Who probably also have a direct firewall rule onto the net to avoid the annoying proxy server too..

  24. This post has been deleted by its author

  25. aldolo

    distrusted indent

    i've removed indent root certificate to distrust letsencrypt.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019