Thanks to the Let's Encrypt project, which promises to soon allow everyone to get a free Domain Validation (DV) certificate to secure their sites with HTTPS encryption, other major Certificate Authorities could soon start offering their DV certificates for free as well.
When the non-profit group formed by Mozilla, EFF, Cisco, Akamai and others decided to create the automated Let's Encrypt service, many saw this as an imminent commoditization of the Certificate Authority business model.
Currently, the CAs are making money from selling certificates to website owners, so when a service such as Let's Encrypt comes out that promises free certificates, that model isn't going to work for much longer. There are some CAs such as StartCom that offer free certificates, but only to some companies, and they charge for renewals. There are no such limitations with Let's Encrypt.
There are two types of certificates: Domain Validation and Extended Validation (EV) certificates. EV certificates cost much more than DV certificates because some manual work of verifying the companies is necessary. This is not something Let's Encrypt's automated tool will be able to do, which is why it's limited to DV certificates only.
Because Certificate Authorities still have the much more expensive option, and because they offer other paid security solutions as well, they can afford to turn their business model from fully paid services to "freemium" services. Now, CAs can essentially offer the most basic certificate for free, as a loss leader, while still being able to upsell customers to paid services.
According to CertSimple, which is a provider of EV certificates, at least two major certificate authorities have confirmed that they will start offering DV certificates for free soon, and more should follow after that.
One thing that may be missing from these major certificate authorities is trust. Recently, Google gave Symantec an ultimatum to get its internal security in order after finding out that thousands of certificates were issued that shouldn't have been issued at all, seemingly without Symantec even being aware of it.
The certificate business is all about trusting the provider of that certificate, and developers may have more trust in organizations such as Mozilla and EFF, which doesn't bode well for companies such as Symantec. These larger CAs could also adopt Certificate Transparency, to make publicly available all of their certificate logs for better accountability. Symantec will be forced to do it by summer next year or risk getting kicked out of Chrome, anyway, but it would be good to see other CAs support Certificate Transparency as well.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
For my own websites for personal use I just generate my own SSL certs with the info the way I wanted. Granted I'll get that nice error via the browser but it's still secure.
However, it also allows them to verify your ownership of the domain; basically the program can do several things to your site that Let's Encrypt can then check, such as creating a file with a random name that they can look for at domain.tld/random_file.html.
This should be sufficient verification for free certificates, as an attacker would need to point your DNS records to their own malicious server, or gain access to your server and tamper with it, but these are things that a certificate wouldn't necessarily protect against anyway.
The point of extended validation certificates is to verify that there is someone legally responsible for the domain, so if money is lost or whatever you have someone to pursue legal action against, or report to trading standards etc.
The way something is programmed can bias it to work better with either AMDATI or Nvidia.