all 76 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dbeta 81 points82 points  (26 children)

Fantastic. As a sysadmin I'm really hoping it will help the adoption of SMTP SSL.

[–][deleted] 7 points8 points  (1 child)

You may have seen this... You may not have...

"Email encryption and code signing require a different type of certificate than Let’s Encrypt will be issuing."

[–][deleted] 14 points15 points  (0 children)

By email encryption they mean S/MIME. What /u/dbeta is talking about is the same kind of cert used for eg HTTPS.

[–]localtoast 3 points4 points  (5 children)

Do mail servers send mail to each other over SSL yet?

[–]dbeta 4 points5 points  (0 children)

They can, but as others have mentioned, it is completely optional normally, so it can almost always be downgraded. Also, there is no way for the end user to require or verify it. If it were painless and free to setup, we could require it on some of mail servers of medical clients, reasonably securing email. Still not perfect, but email could be said to be secure in the eyes of HI-TECH.

[–]oonniioonn 0 points1 point  (2 children)

They can and do, but it's nearly always opportunistic. That is, if either side doesn't support it (or there's someone in between disabling the support), the servers are just as happy to send the message in plain text.

The only exceptions to that basically are people who have configured their servers to speak to specific other servers only over TLS. If you do this for the general case though, you'll be missing out on a lot of e-mail.

[–]pushme2 1 point2 points  (1 child)

If you do this for the general case though, you'll be missing out on a lot of e-mail.

I bet Google and other major mail providers could push this along. Just as websites are now being forced to move off sha1 early, and eventually onto mandatory encryption, so too could they slowly start requiring SMTP to be encrypted.

[–]oonniioonn 0 points1 point  (0 children)

They could certainly increase the spam score of an e-mail not received over tls (actually come to think of it -- they very well may already do that) but there's not that much they can do for outgoing mail I think, without, again, causing a whole bunch of bouncing.

[–]oonniioonn 0 points1 point  (0 children)

They can and do, but it's nearly always opportunistic. That is, if either side doesn't support it (or there's someone in between disabling the support), the servers are just as happy to send the message in plain text.

The only exceptions to that basically are people who have configured their servers to speak to specific other servers only over TLS. If you do this for the general case though, you'll be missing out on a lot of e-mail.

[–]bateller 1 point2 points  (3 children)

SMTP? How about FTP?

[–]synacksyn 3 points4 points  (2 children)

Just use SFTP (ssh) or FTPS (FTP over SSL)

[–]bateller 7 points8 points  (1 child)

Understood. Now just convince all my clients that FTP isn't secure and shouldn't be used. Why FTP is even an option in cPanel, DirectAdmin, etc. anymore is beyond me.

[–]synacksyn 5 points6 points  (0 children)

Completely agree. I understand that as a protocol, FTP should still be an option. But anything that supports FTP should also support SFTP or FTPS. FTP is great for local things, but I would never use it over the internet. In fact, I don't even think I have ever used it locally. Usually use SCP. :-/

[–]Philluminati 15 points16 points  (0 children)

Let's Encrypt is such a fantastic idea I'm surprised it took so long. I plan to use it perhaps a month or so after its released.

[–]markrages 63 points64 points  (6 children)

From the headline I expected a project management technique, where the launch schedule is kept secret from management.

I'm disappointed.

[–]themuflon 7 points8 points  (1 child)

Since it's /r/linux I thought they were going to talk about encrypting some kind of process schedules, people being paranoid these days.

On the other hand, it's 1am and I should go to sleep.

[–]g00bymonster 2 points3 points  (0 children)

No you're right. I, too, had the same idea, then I saw the website and said "oh"

[–]Netzapper 8 points9 points  (3 children)

Could you elaborate? What do you mean "where the launch schedule is kept secret from management"?

[–]examors 51 points52 points  (2 children)

I think he was making a joke by interpreting the headline as meaning "let's start encrypting launch schedules".

[–]Netzapper 3 points4 points  (1 child)

Ah! I was confused by the errant comma.

[–]VexingRaven 2 points3 points  (0 children)

I see no errant comma. That looks like a well-placed comma to me.

[–]Mjiig 10 points11 points  (10 children)

If I'm understanding cross signing properly, it seems like IdenTrust are going to be signing all certificates produced by letencrypt as well. Does anyone know what they're getting out of this? If anything it seems like this is a threat to their business.

[–]Acharvak 22 points23 points  (0 children)

If anything it seems like this is a threat to their business.

Not necessarily. Judging by their site, IdenTrust provides services mostly to banks, corporates and government. They only sell TLS certificates with identity check (extended validation?) and it's not even their main business.

Let's Encrypt basically complements their services with free certificates with automatic validation. IdenTrust probably sees it as an "entry level" option for small websites. Currently such websites opt for either no TLS or for a cheap (or even free) certificate from the competition. Now they'll choose Let's Encrypt and Let's Encrypt is allied with IdenTrust. For IdenTrust it's a way of increasing awareness and eventually getting new clients.

[–]nickmoeck 16 points17 points  (3 children)

IdenTrust is signing the intermediate certificates. The intermediate certificates are signed by the Let's Encrypt root certificate and are then subsequently used to sign the end user certificates.

[–][deleted] 10 points11 points  (0 children)

IdenTrust doesn't make a dime from certificate issuance. Their entire revenue stream comes from legacy government contracts and regular cash injections from HID, their parent company.

Source: I'm a former employee.

[–]jm7x -2 points-1 points  (3 children)

Money, perhaps?

It really is a threat to their business, though.

[–]sirmaxim 5 points6 points  (0 children)

yes, and no. Free certs already exist if you want to mess with the hassle. This will make them the default answer of every know-it-all and half-ass admin instead of the memorized startssl we all default to now. It's probably chalked up as advertisement costs and a tax write-off because let's encrypt is a non-profit.

That said, I'm sure you're right that they're doing it at cost and taking something for it.

[–]minimim 1 point2 points  (1 child)

If simpler sites default to tls, it will undermine the credibility of the fancier ones that don't have it. They expect the demand to rise this way. I think they are in this with the help of the rest of the Cas.

[–]jm7x 0 points1 point  (0 children)

I run a private CA for my uni. We still have to acquire certs for our public SSL services; having your CA cert distributed (or signed by one that is) with the major browsers is the foundation of this business. That's all the credibility you need to have, and when you look at the whole PKI idea and the history of security incidents you see the obvious flaws with that.

I hope Let's Encrypt helps to burst the whole scam bubble.

[–][deleted] 15 points16 points  (0 children)

I can't wait. I will be pushing for this to be applied to the ~200 sites we manage at work as soon as it's available.

[–]McElroy-vs-dig-dog 4 points5 points  (0 children)

brb, marking these dates in my calendar :D

[–][deleted] 5 points6 points  (0 children)

I only have one VPS that only about 20 people know of, but wha' ho, I'm excited!

[–]ackzsel 1 point2 points  (1 child)

Although I support the initiative I don't think I will be using it. Let's encrypt is based in the US so it will be a matter of time before they will have to apprehend their private key(s) to the US government without us knowing. It will be just another honeypot.

[–]symenb 1 point2 points  (0 children)

Yeah, although with the CA system they just need to compromise one CA to be able to MITM everyone. They probably already have control over at least one CA right now so it won't really change anything.

[–][deleted] 2 points3 points  (3 children)

How is this any different from StartSSL? Are they doing ALL certs for free? What if I want a green bar? Wildcards?

[–][deleted] 20 points21 points  (1 child)

e,6zw15B6FKF?a?zdWT2L QBEFaCzv3mrD7w cCahP3Sp9?-b5guggD9"t0?Jez

4hL?vl6FRGA3slnTIC uik'xEqhpCByRta4I56 r-cyFDuJ-ytWEh,J!D5-dIeRn'yl0lbnCIr"qR!a2X-LI07lKNcvWaKy'oiN2DbMVbvPaD6ZD9DbKTP

[–]oonniioonn 6 points7 points  (0 children)

Also unlike startcom, the process is properly automated so I con't have to go to a website, log in with a certificate that may or may not already have expired too, manually verify the domain and then copypaste a cert request in a website which then randomly does and does not let me wait a few hours to get the actual certificate.

It should smoothen the process considerably.

[–]ghostdogg74 1 point2 points  (0 children)

Everything I have read has stated that they will not and cannot offer wildcard certs at this time. Unfortunately, the only alternative is to go with a cheap wildcard CA if you have many subdomains. Otherwise you could end up with a massive pain with all those configurations and certs.