As Let's Encrypt Public Launch Approaches, More CAs Consider Offering Free DV Certificates

Thanks to the Let's Encrypt project, which promises to soon allow everyone to get a free Domain Validation (DV) certificate to secure their sites with HTTPS encryption, other major Certificate Authorities could soon start offering their DV certificates for free as well.

When the non-profit group formed by Mozilla, EFF, Cisco, Akamai and others decided to create the automated Let's Encrypt service, many saw this as an imminent commoditization of the Certificate Authority business model.

Currently, the CAs are making money from selling certificates to website owners, so when a service such as Let's Encrypt comes out that promises free certificates, that model isn't going to work for much longer. There are some CAs such as StartCom that offer free certificates, but only to some companies, and they charge for renewals. There are no such limitations with Let's Encrypt.

There are two types of certificates: Domain Validation and Extended Validation (EV) certificates. EV certificates cost much more than DV certificates because some manual work of verifying the companies is necessary. This is not something Let's Encrypt's automated tool will be able to do, which is why it's limited to DV certificates only.

Because Certificate Authorities still have the much more expensive option, and because they offer other paid security solutions as well, they can afford to turn their business model from fully paid services to "freemium" services. Now, CAs can essentially offer the most basic certificate for free, as a loss leader, while still being able to upsell customers to paid services.

According to CertSimple, which is a provider of EV certificates, at least two major certificate authorities have confirmed that they will start offering DV certificates for free soon, and more should follow after that.

One thing that may be missing from these major certificate authorities is trust. Recently, Google gave Symantec an ultimatum to get its internal security in order after finding out that thousands of certificates were issued that shouldn't have been issued at all, seemingly without Symantec even being aware of it.

The certificate business is all about trusting the provider of that certificate, and developers may have more trust in organizations such as Mozilla and EFF, which doesn't bode well for companies such as Symantec. These larger CAs could also adopt Certificate Transparency, to make publicly available all of their certificate logs for better accountability. Symantec will be forced to do it by summer next year or risk getting kicked out of Chrome, anyway, but it would be good to see other CAs support Certificate Transparency as well.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • vern72
    Too bad Thawte is gone. I had a free certificate through their "Web of Trust".
    Reply
  • Darkk
    While it's a noble idea but giving out free certs may give hackers easy way to exploit it. I'd be happy to pay $5 for a basic SSL cert knowing that it went through some kind of verification process via credit card.

    For my own websites for personal use I just generate my own SSL certs with the info the way I wanted. Granted I'll get that nice error via the browser but it's still secure.
    Reply
  • Haravikk
    While it's a noble idea but giving out free certs may give hackers easy way to exploit it. I'd be happy to pay $5 for a basic SSL cert knowing that it went through some kind of verification process via credit card.
    Let's Encrypt works through installing a tool onto your web-server (or having your hosting provider do it for you); the main reason for this is automatic renewal of certificates (as they only issue 90-day ones).

    However, it also allows them to verify your ownership of the domain; basically the program can do several things to your site that Let's Encrypt can then check, such as creating a file with a random name that they can look for at domain.tld/random_file.html.

    This should be sufficient verification for free certificates, as an attacker would need to point your DNS records to their own malicious server, or gain access to your server and tamper with it, but these are things that a certificate wouldn't necessarily protect against anyway.

    The point of extended validation certificates is to verify that there is someone legally responsible for the domain, so if money is lost or whatever you have someone to pursue legal action against, or report to trading standards etc.
    Reply
  • randomizer
    For my own websites for personal use I just generate my own SSL certs with the info the way I wanted. Granted I'll get that nice error via the browser but it's still secure.
    Yep, it provides exactly the same security as any other certificate. The only difference is that your certificate has not been rubber stamped by a member of the oligarchy and browsers don't like certificates that are not part of the Web of Blind Faith.
    Reply
  • IndignantSkeptic
    Wow... I know the GTX470 is an old card by now, but I'm shocked that it's in the same very-low-performance tier as the r7 240. Tom's own GPU Heirarchy Chart has the GTX470 matched up with the r7 260X and the r7240 matched up against the ancient 8800gs. The whole thing is as confusing as the games that suggest a r9 290 for the same performance tier as a gtx460.

    The way something is programmed can bias it to work better with either AMDATI or Nvidia.
    Reply