a companion discussion area for blog.codinghorror.com

Let's Encrypt Everything


You can proclaim the “right” to privacy as loudly as you want, but no one behind one of the great firewalls will hear you if your HTTPS-only site is summarily blocked. You are not giving these people privacy, you are taking away their access to information.

And there are also large parts of the earth that do not enjoy to the low latency links that we righteous protocol dictators take for granted. HTTPS (and /2) kill local caches and force EVERY page to be re-transmitted to the individual browser rather than served locally. A primary school student sitting at the other end of a 128Kbps down-link in sub-Saharan Africa does not care that the Wikipedia article that she is trying to pull up would have been encrypted for her safety… because she never sees it. Her school bandwidth allotment was exhausted hours ago by the previous 25 students who pulled up redundantly-downloaded copies of that same article earlier that day.

If you care about offering privacy to the people who actually want it, why not give people a choice between HTTP and HTTPS and let users pick which way they want to (or must) access your site? Be careful anytime you find yourself by restricting other peoples’ choices based on your beliefs - especially other people you’ve never met who live in situations very different than yours.



Hmm. That’s an odd thing to know and track. I don’t remember that being on my protonmail app, so how would they know?

Otherwise, what’s the goal of an assertion like that if it’s completely unfounded?


The sub-Saharan school can run its own caching MITM and have student machines trust that particular MITM’s CA.


Uh, guys, HTTPS not caching is a zombie assertion from the 90’s, maybe early 00’s. This is 2016 now, stop resurrecting long-dead myths.

Browsers all cache HTTPS unless the HTTP Cache-Control: no-cache header is set, or Expires is set to prevent caching, precisely because browser vendors realized that HTTPS is about preventing MITM attacks, not local exploit attacks, long ago. You can try it for yourself; access a few HTTPS sites and check your cache.

Now that the web is galloping toward encryption, the need to remember old lessons is reinforced, and no one is going to cripple mobile and third-world users just to prove an unnecessary point.


The browser does cache HTTPS content locally on the machine, but this does not help with repeat pageloads across a bunch of machines (and now casual phones over wifi) connected to a caching proxy server at the end of a slow link, which is the typical case.


Hmmmm… This is an odd suggestion considering the claimed goal of adding HTTPS in the first place was to increase users’ privacy and security. By adding a locally trusted CA, you make it so that every page that passes though the cache (including HTTPS) can be intercepted, inspected, and modified.

“We have decided that it is very important that every page you load be protected, so we are making it so that none of your pages are protected!”.

Things get complicated when you start forcing your choices on others…


There is a big difference: Trump does not behave rationally. Who knows what he will do. Temperamentally, he is all over the map, known to harbor deep grudges over insignificant things. He is already engaging in nepotism and cronyism as the president elect. Trump is the least trustworthy president to be elected in the last hundred years, barring perhaps Nixon. I have no problem with Republican vs. Democrat, frankly I couldn’t care less – but leadership qualities matter, and Trump has only negative qualities in that department in my opinion. cc @jbinaz

I beleve their FAQs cover this but the logic is that the automation is the important part whether the certs are valid for a year or 90 days and I agree.

It is up to you how much you want to donate and how often, unlike a pay service. Use your imagination.

Just search for it. The info is out there: https://letsencrypt.org/2016/09/20/what-it-costs-to-run-lets-encrypt.html


Exhibit A: Your ISP is Not Your Friend

On the modern Internet, ISPs themselves are one of your threats (both your ISP and other people’s ISPs). ISPs routinely monitor traffic, intercept traffic, modify traffic on the fly both for outgoing requests (eg) and for incoming replies from web servers (‘helpfully’ injecting hostile JavaScript and HTML into pages is now commonplace), and do other malfeasance. To a certain extent this is more common on mobile Internet than on good old fashioned fixed Internet, but this is not particularly reassuring; an increasing amount of traffic is from mobile devices, and ISPs are or will be adding this sort of stuff to fixed Internet as well because it makes them more money and they like cash.


There is always a tradeoff between security and convenience. If you’re in an Internet desert, such as sub-Saharan Africa, privacy from the ISP may be one of the things you need to sacrifice in order to make repeated retrievals of static resources usably efficient.

Yet this sacrifice loses less privacy overall than going all the way back to cleartext HTTP. As I wrote above in reply to @JimBirch, three people being able to see the communication (the sender, the recipient, and a caching proxy run by an organization that the recipient has chosen to trust) are a lot fewer than every router on the path being able to see it, which is true of cleartext HTTP.

You mentioned “forcing your choices on others”. ISPs in countries in sub-Saharan Africa have already forced their choices on you by charging subscribers in those countries far more than ISPs in other countries charge for a usably fast link.


I used to go to google.com as a ping server when connecting to WiFi in a public place like an airport.
Now I use wsj.com because going to google.com will be intercepted and navigation canceled since google.com is now HTTPS.
We should be fine with universal HTTPS as long as some known website is there that will redirect us to airport wifi License Agreement page.
Or change the technology in public WiFi to handle HTTPS redirection.


I think HTTPS is not secure enough. There are a lot fake SSL certificates.


Can you cite any sources for “lot of fake certificates”? I believe any cert authority that pulls shenanigans has their certificates globally revoked…


When I discussed this elsewhere, someone else provided a few more examples where a caching proxy might not solve a primary school’s bandwidth woes.

  • Your Wikipedia example assumes that all students will be viewing the same articles, as opposed to following hyperlinks to cited sources or to other Wikipedia articles. If you want to save bandwidth by setting up what amounts to a CDN, do so explicitly. Download each article and its resources, and serve them from a mirror on the LAN.
  • What if that primary school student is researching something politically sensitive, such as reproductive health? Or her sexuality? Also that’s the age of formative development. What if she believes she might be transsexual and is trying to learn?

And lack of caching is nowhere near the biggest danger on a 128 kbps capped link.

  • A student accidentally left a tab open and the AJAX script constantly refreshing some widget ate up all the data.
  • Or the student couldn’t learn because the pictures didn’t load when the lazy-loading script timed out.
  • Or an ad-supported website’s anti-adblock script disables access to an article because the user failed to load several megabytes of advertisements along with a 2000-word article.


So, I don’t mean to be antagonistic, but why would I spend $99 (after the first 15 free scans) to get a report from your app that I can get for free all day over at SSL Labs?


I guess I’m an amateur when it comes to this, but I just have to ask: what about CAcert?

I came across it a while ago for a different reason, and found out that they too issue free certificates, provided you prove your control of the domain. I know that the reason nobody uses it is obvious; they don’t have their root certificate in any major browser yet. However, if everyone just ignores the free CAs that don’t have their certificate installed, then won’t everyone who wants free certificates be forced to use LetsEncrypt?

It seems odd that, in response to big, corporate CAs, we’re going to use one singular free CA. It guess it frustrates me a little that if I want a free (usable) certificate, I have no choice on where to get it. Anyway, does anyone know why I can’t seem to find very many people advocating for additional free CAs?



SSLRobot does provide a few benefits compared to SSL Labs:

  • It can test servers on your local network that are not accessible on the internet, e.g. web based systems within a company

  • It can test servers before deployment to production by setting up a temporary local DNS name

  • It can test other ports apart from 443. For example, entering pop-mail.outlook.com:995 tests the SSL on the outlook POP server (grade C!)

  • The tests typically run in seconds rather than minutes


It’s nice to see all the CAs out there that will sign certificates for free. However, one thing that I have yet to see mentioned is self-signing an SSL certificate. It’s free, you do it yourself, and there are plenty of guides out there to help you do it. The only drawback is that a user who has never been to your site before will get an alert stating that the certificate is signed by an unknown CA. The users will have to install it themselves. But, if you can live with that, then by all means.


If a site presents a self-signed certificate to the browser, how would users know whether it’s safe “to install it themselves”? With only 5 percent of the population able to complete a multi-step task, I don’t expect the majority of the general public to be able to distinguish a self-signed certificate belonging to the domain’s rightful owner from a forged certificate presented by an intercepting proxy. One might try hitting the site from several different locations on the Internet to see if all paths produce the same certificate, as the Perspectives extension for Firefox does. But then that’s also what any domain-validating certificate authority does, and by the time you’re paying for a domain and hosting, you might as well get a cert from a well-known DV CA.

I just paid $15 per three years to avoid the 90-day runaround.


Well. One Issue: https://codinghorror.com is still yelling about no https support :wink:


Yeah I need to DNS redirect that to www at some point.