Hacker News new | ask | show | jobs
by lifeisstillgood 3933 days ago
To be honest I had not heard of them till now, and I am a bit confused even after reading some of their site...

So if the difficult part of being a CA (which I think is verifying that I, Paul Brian, own and control the rights to barlcaysbank.com and should have a certificate in that name) if that bit is either not done (!) or is reliant on donations to be able to afford it, is this going to work?
2 comments
tokenizerrr 3933 days ago
This is not what regular style certificates verify. That is what Extended Validation certificates verify and they're not issued by letsencrypt.org and generally are a lot more expensive.

The only thing that regular-style certificates verify (this is what current CAs do, you can also grab a free one with automatic validation at https://www.startssl.com/) is that the person who controls the domain name has requested the certificate. This is usually done by serving a specific file over HTTP once, setting a TXT DNS record or responding to mail to postmaster@yourdomain.tld

link
toomuchtodo 3933 days ago
> This is not what regular style certificates verify. That is what Extended Validation certificates verify and they're not issued by letsencrypt.org and generally are a lot more expensive.

I'd like to see LetsEncrypt move into this territory though. What current private business providers are charging for this service is border-line extortion.

link
schoen 3933 days ago
EV validation will have a marginal cost because of the offline interactions. DV can be done at almost no marginal cost. That's why Let's Encrypt can exist at all.
link
icebraining 3933 days ago
FWIW, you can already get an SSL cert for $4/year.
link
Buge 3933 days ago
"this territory" was referring to EV certificates. Those cost more than $4.
link
icebraining 3933 days ago
I misread the post, sorry :|
link
lifeisstillgood 3933 days ago
But the certificate is (supposed) to say we have verified that this person / organisation exists and is "allowed" this domain.

Now if we extend the idea of every business or even human having their own (sub)-domain (lots of good benefits there) then we are in the territory of ensuring the CA's track you from birth - that's what governments do, and boy are they expensive.

I think what I am saying is we either have CA we can trust or we dump the whole thing and go to web of trust

link
tokenizerrr 3933 days ago
That ship has sailed years ago. And now we have EV certificates to deal with that problem.
link
schoen 3933 days ago
For the time being, it's DNS registrars who define who is allowed particular domain names, and DV CAs just try to draw the connection between what the registrars have said and the server you're visiting at a particular moment.
link
lifeisstillgood 3933 days ago
Well. I missed that memo. Or rather I kinda sorta knew it was getting devalued, but a Padlock in my browser is something I trust. If it's not trust worthy or verified should we not go the whole hog, dump trusted public keys from all browsers and move to the web-of-trust / certificate pinning.

From the blog:

   just too much of a hassle. The application process can be 
   confusing. It usually costs money. It’s tricky to install 
   correctly. It’s a pain to update.
If the reason there is not enough SSL around is because it's too much hassle for webmasters, I doubt there is a solution. If you want to take payments you get SSL. if that's too much hassle PCI compliance is going to really stretch you.
link
hueving 3933 days ago
The padlock means you are connecting to the owner of that domain. That's a very valuable guarantee.

EV validation and whatnot is essentially a nice way to burn a ton of money on borderline extortion.

link
velox_io 3933 days ago
Vanilla SSL verifies the the website is legit, EV verifies that the business is legit. More competition will lower the price, there's tons of room for cheaper & faster EV providers.
link
nailer 3933 days ago
> But a Padlock in my browser is something I trust.

On the padlock note, Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Only EV certs get a full green one (as well as the legal name as other browsers show for EV). See https://certsimple.com/blog/dv-ssl-in-microsoft-edge

link
eric_bullington 3933 days ago
> Microsoft Edge shows a hollowed out, grey padlock for DV certificates.

Firefox does the same. Luckily, Chrome is unlikely to do the same, since google.com itself is "only" domain validated.

link
finnn 3933 days ago
Now we just need to add a big red icon for http sites...
link
cpach 3933 days ago
Mozilla actually have announced their plans to deprecate plain HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non...
link
losvedir 3933 days ago
Yeah, verifying that "www.barclays.co.uk" is the correct URL for Barclays Bank PLC is what EV is for.

The other important role of a certificate is verifying that the server you're connected to is the correct one for the URL in the address bar. I may not know or care who "Hacker News" is supposed to belong to, but I do care that I'm connecting to the legit news.ycombinator.com, the same one I connected to yesterday, and that I'm not being Man-in-the-Middle'd.

The latter is what letsencrypt is for.

    |browser|- letsencrypt verifies -|server|- EV verifies -|organization|
link