A stupid question from somebody that doesn’t really know anything about PKI: is it a problem that they make certificates for 30% of domains? Would it be a problem if they made certificates for 100% of domains?
I kind of wish that Mozilla, Apache, maybe Microsoft etc would offer similar services with a compatible API so we could spread the load a bit and diversify. Wishful thinking though
I haven’t tried their services, but https://www.buypass.com/ssl/resources/acme-free-ssl claims to offer free SSL certificates by using the same ACME protocol as Let’s Encrypt. It might be worth checking it out, if only for the sake of diversity as you say.
The danger that jumps out at me is that getting your root CA trusted by browsers is a slow and expensive process. If LE gained a monopoly and tried to cash in, getting a competitor up and running would be a non trivial amount of effort.
That said I think there are factors that work against that as well:
Overall I don’t think anyone can argue that LE hasn’t dramatically improved the landscape of TLS CAs.
I wonder how many of the expired certs are due to Let’s Encrypt cron jobs not doing what they should
Author here. I’d figured they were big, but I had no idea that big until I did a www-wide TLS scan. The dataset is freely available on S3 if you wanna analyze it yourself! Here for questions
They give away paid products for free. Products that Google penalizes you for not having. Then, many people needing or wanting that product used their free alternative.
I still don’t know if that vs version with more paying customers is a good thing in long run. Good for now, though.
The old situation with SSL certs was classic artificial scarcity. They successfully convinced people that having a human in the issuance pipeline offers better security and charged people for it.
I don’t know if scandals with StartSSL et al. issuing backdated and outright fake certs and experiments with EV certs issues for “Stripe inc.” registered in a different state reached the mass consciousness, but it seems there’s now tacit acceptance of the fact that “the cert belongs to the person who controls the domain” is all authenticity you can achieve without checking the fingerprints yourself. Naturally that took business away from people charging $100/yr for incredibly cursory authenticity checks.