Sign up with Google
Thor
Honorary Master
- Joined
- Jun 5, 2014
- Messages
- 44,236
Ahh should have just said LE
-
Ask a question and get free supportUnlock new privileges and see hidden discussionsWin prizes and earn reputation
-
Question of the day ~ How often do you braai?
-
Afristay giveaway.Win a 2-night stay for two people at an establishment of your choice with R1,000 in spending money. Enter here.
SSL Cert for online site
- Thread starter dbz0e
- Start date
This thread has really runaway, but both sides to this have a point. If you just want to encrypt the link between the browser and server, then Let's Encrypt does the job. There's no real difference between getting it from them or a more well known commercial issuer. However, perception does play a part, and is very much dependent on what you want to use the SSL for. Most consumers nowadays are trained to look for the "green bar", and aren't going to check the SSL certificate details for the issuer. So in a case like that, where you're running a mainly consumer facing service, you'd want to get an EV SSL certificate, which makes this whole argument easy, because Let's Encrypt don't offer EVs.
Fulcrum29
Honorary Master
- Joined
- Jun 25, 2010
- Messages
- 55,031
It is only that ISRG is more diverse with many core members like Akamai, Cisco, Mozilla, OVH, etc. This is what is a great importance to them,
https://letsencrypt.org/2015/10/29/phishing-and-malware.html
Currently Let's Encrypt is thoroughly abused, and also used to ‘protect’ malware. ISRG needs to clamp down on these activities or users’ needs to be more educated on using the internet by guiding them with browser and search engine mechanics. Having Let’s Encrypt run rampant with malicious use may have ISRG's initiative severely hurdled.
Thor
Honorary Master
- Joined
- Jun 5, 2014
- Messages
- 44,236
Agreed 100% hence my previous point that trust is not the job of an SSL. That's on the company to forge a reputation for itself.
joburgbeardcompany
Active Member
- Joined
- Nov 23, 2016
- Messages
- 68
Something I came across that you can consider is setting up your website on CloudFlare CDN.
They have a free plan which comes with a free SSL certificate. So after you've set up your website on CloudFlare, you just update your domains DNS name servers to point to CloudFlare and then they issue the certificate. Then you can change your URL's to HTTPS.
Extra features that comes with it is the caching and everything on your site is automatically minified.
Give it a bash.
They have a free plan which comes with a free SSL certificate. So after you've set up your website on CloudFlare, you just update your domains DNS name servers to point to CloudFlare and then they issue the certificate. Then you can change your URL's to HTTPS.
Extra features that comes with it is the caching and everything on your site is automatically minified.
Give it a bash.
Saying you don't wanna use Let's Encrypt vs other providers because of EV's and site-seals is snake oil at its best.
Let's Encrypt uses an ISRG Root CA that is being pushed to browsers everywhere if not already. Up until all browsers can support it, it cross-signs certificates with an IdenTrust Root CA.
This makes it NO DIFFERENT to Thawte, Verisign, Geotrust etc.
And if you think "insurance" will stop your website being hacked, or a user's data from being compromised because they clicked accept on an invalid cert warning during a man-in-the-middle attack then you're living in a very very false sense of security.
Let me spell it out easier;
1. NO SSL insurance will pay for your hacked website or user and even if they claimed to, if it got to that you'de be wrapped up in litigation with a non-ZA company for years.
2. ANYONE can issue a paid-for Cert, the verification is, at best, to cover governance requirements at the issuers.
3. There have been compromised ROOT CA's before - Let's Encrypt was not one of them. What's your answer to that? Did your magic insurance suddenly issue you with a globally distributed Root CA??
4. SSL provides transport-layer security and verification that the target host and yourself are communicating securely with a validated chain. It does not say anything more about who you're dealing with or what the state of their back-end and web-app security is.
Making people pay for SSL certs was a money-spinner of the 90's and early 2000's. the cash cow is ending as is seen by the cheaper, or free certificates which provide exactly the same core security that any other SSL certificate and it's Intermediary and Root CA do.
Last edited:
joburgbeardcompany
Active Member
- Joined
- Nov 23, 2016
- Messages
- 68
I just used Rapid SSL which I bought through domains.co.za.
You can also get a free SSL certificate if you make use of the Cloudflare CDN. There's a free option which comes with an SSL certificate if you're looking for a free option.
You just need to create an account with them and then they will give you name servers which you need to point your domain name to.
You can also get a free SSL certificate if you make use of the Cloudflare CDN. There's a free option which comes with an SSL certificate if you're looking for a free option.
You just need to create an account with them and then they will give you name servers which you need to point your domain name to.