This has been a problem on the web in the last few years, venders selling TLS/SSL certificates posting sponsored content on blogs with false or misleading information in order to discredit free open providers like Let's Encrypt. It happened again this week and we wanted to talk about it.
The back story
A post went up on css-tricks.com by GoGetSSL who has been aggressive online in the last few months fighting everyone they can. In this post it was asked by Chris Coyier https://twitter.com/chriscoyier who in his own words asked for a comparison.
It’s my own ignorance at work here a bit. I’m not expert enough in this realm to spot false claims easily, hence me asking about the LE comparison.
The post outlined a few points.
- Let's Encrypt requires users to know about server management to install.
- Paid TLS/SSL providers let you know when it expires, and Let's Encrypt sometimes wont renew due to volume.
- Paid TLS/SSL verifies the business and gives the user trust in the business.
- Paid TLS/SSL protects the public IP.
- Paid TLS/SSL gives you a warranty.
This is just some of the points made, you can view the original post as a image here.
The reality of the points listed above.
- No they don't and any modern control panel will have a single CLICK to enable for Let's Encrypt, and auto manage and renew them for you (we also do this in our panel).
- So does Let's Encrypt, if you setup LE on your own and make the certificate with your valid email you will get alerts before it expires if renewal fails.
- Not anymore, all indicators are gone from browsers and the actual spec for TLS/SSL list it as a NON trust ranking indicator and not to be used as a form of identity verification and trust.
- No, and we cant find anything about this other then providers like CloudFlare that act as a proxy and does this for you, but that works with and without TLS/SSL so it's not certificate driven.
- As found by many this is a warranty for the end user and to date no TLS/SSL seller has been able to provide any cases if this warranty being clamed, even when providers have been asked. https://scotthelme.co.uk/do-ssl-warranties-protect-you-as-much-as-rocks-keep-tigers-away/
The response on twitter
GoGetSSL went crazy on twitter attacking users and telling them they will take legal action against users for questioning the points made in the post. It took a few days but once the post was removed from css-tricks https://css-tricks.com/gogetssl/ due to input by Troy Hunt and Scott Helme, the social media behind GoGetSSL deleted the tweets leaving threads looking like this.
They did apologize on twitter after the tweets where removed.
The result is simple, TLS/SSL certificates are now free, and it will stay that way and it has providers like GoGetSSL fighting for relevance on the web. We wish them all the luck but you should never lie to get business. Unless you absolutely MUST have a payed TLS/SSL certificate Let's Encrypt is all you need.
A message to TLS/SSL certificate Providers
We are in a new age of internet access, where social media with so many providers and technology companies are fighting for relevance online. We must stop this abuse of social media for gain and harm. This has been especially a problem with security and TLS providers in recent years. A specific type of certificate should never be used as a indication of trust, even the specs say not to use it as a level of trust and authenticity of a service. Certificates should be free, access to security should be free and open for all.