[cnst]

This offer sounds great!

However, I must ask -- what's their business model?

Even as great as the offer is, this is akin to the free sample... Because once you deploy the https:// address scheme, there is no going back. On the other hand, this would have been perfect if there was opportunistic encryption within HTTP.

[Xorlev]

State-sponsored CA perhaps?

I'd be a little suspicious of anything too free like that. I hate to be too xenophobic but I can't say the thought didn't cross my mind.

[iancarroll]

> Because once you deploy the https:// address scheme, there is no going back.

Unless you send the HSTS header, that's not true. Even so, you could just set the HSTS expiry time to the certificate's expiry (which would have to be done within your code, sadly).

[cnst]

What do you mean it's not true without HSTS? Do modern browsers now automatically switch to the http:// address scheme if https:// is no longer available?

Because otherwise, unless you don't care about incoming links, bookmarks etc, there is indeed absolutely no going back, with or without HSTS. That's the problem, only solvable with opportunistic encryption.

And if you have dozens of domains and subdomains, what would you do in 2 years if this only CA is then kaput? The value of their offering is definitely above 100 USD, it would appear.

[technomancy]

> Do modern browsers now automatically switch to the http:// address scheme if https:// is no longer available?

Browsers do not, humans do.

[indrax]

EFF is going to be giving out free certs starting later this year. https://letsencrypt.org/ It's not too surprising someone would lower prices now to adjust.

This is becoming a freemium product.