Stories
Slash Boxes
Comments

SoylentNews is people

Let's Encrypt - Looking at the Recent Past and Forward to 2018

posted by martyb on Tuesday March 06 2018, @11:49PM   Printer-friendly
from the green-padlock dept.

An Anonymous Coward writes:

In this short article Let’s Encrypt lists challenges ahead, like service growth, new features and infrastructure and finances.

Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

I think Let's Encrypt is a great service. Want to share your war story? Can you think of any downsides or threats related to all this?

[Ed note: SoylentNews uses Gandi for "soylentnews.org" and uses LetsEncrypt for all other domains and subdomains. --martyb]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Let's Encrypt - Looking at the Recent Past and Forward to 2018 | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Spamalope on Wednesday March 07 2018, @11:13PM (3 children)

    by Spamalope (5233) on Wednesday March 07 2018, @11:13PM (#649219) Homepage

    Why do they have such a short expire time?

    I've got a NAS with a 32 bit Atom that's unsupported on the latest NAS OS so it doesn't have a letsencrypt app. I'm uninterested in writing an app or manually swapping certs that often. I'd done one with startcomm before the drama with them, but that was for a year.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Thursday March 08 2018, @01:36AM

    by Anonymous Coward on Thursday March 08 2018, @01:36AM (#649266)

    There is a client written in bash: https://github.com/lukas2511/dehydrated [github.com] and all sorts of other languages: https://letsencrypt.org/docs/client-options/ [letsencrypt.org] and one of those might work for you.

  • (Score: 2) by Pino P on Thursday March 08 2018, @01:44AM

    by Pino P (4721) on Thursday March 08 2018, @01:44AM (#649270) Journal

    A short certificate lifetime keeps revocation lists manageably small, reducing the load on LE's OCSP responders that have to store that list. In addition, it allows for faster rotation of the server's private key, which limits the damage in case a compromise escapes detection.

  • (Score: 2) by TheRaven on Thursday March 08 2018, @02:46PM

    by TheRaven (270) on Thursday March 08 2018, @02:46PM (#649498) Journal
    For a deployment perspective, a shorter life actually makes it a bit easier. I used to use StartSSL, and my certs lasted a year. That's long enough that I'd think that it's not really worth automating. When everyone stopped trusting StartSSL, I switched to Let's Encrypt. Configuring acme-client is a few lines in a couple of files to list the domains that I want certs for and the script for copying them to the correct locations for various services to use and restart / SIGHUP the relevant processes so that they load the new ones. And then it's done. acme-client [kristaps.bsd.lv] runs in a weekly cron job and renews my certs. Their lifetime is three months, so if it fails one week then I don't have to care unless it fails for a few weeks in a row, and my certs are always up to date. If I want to roll over the private keys periodically, I can do that in a cron job as well.
    --
    sudo mod me up