Hey - so I tweeted that...and to be very clear, nothing in that tweet should have been implied as a yes. But since it was potentially construed as a yes, it was deleted to avoid confusion.
In the blog post, you point out that you perform additional validation for your OV certificates while the free CAs do not. But since they are equally trusted by the browsers, how does that increase security for me?
On the other key differences:
- Shorter lifetimes is actually an advantage, since it reduces the risk when your keys are compromised. Revocation is a mess, the only way you can be sure that a certificate can no longer be used is when it's expired.
- No wildcards is an advantage too, since you can give each service its own certificate and if one is compromised, the others are fine. If you're using an organization-wide wildcard cert, a compromise is much worse.
- Limited flexibility - "you must have root access to your servers " is factually incorrect, the automated Let's Encrypt client is optional and you can request a certificate manually.
- Limited support - why would I need a SLA for a certificate, anyway? The OCSP servers?
- Management difficulties - while this is true now, the automation enabled by Let's Encrypt is likely to facilitate management, not the contrary. I'm currently working on a Puppet module which will automatically provision certificates for web servers, something which used to be much harder.
- Build Trust with Purchased SSL - how do I increase trust by using a OV certificate? It's not like an average website user would look up the certificate details, and there's no functional difference between a OV and a DV certificate.
> The levels of encryption, validation, and trust that business and commerce websites require are available only with purchased SSL.
Unless you're talking about EV certificates, I don't see how. There's no "level of encryption" which isn't available with a free CA, and the additional validation and trust do not matter unless it's a EV certificate. Even an EV certificate does not protect against MitM. The real answer is key pinning.
As a Namecheap customer, I'm disappointed by this blog post. It reads like an attempt to spread FUD about free DV certificates. I initially became a customer because I read good things about your business ethics, but this makes me question my choice.
As a Namecheap customer I was very very disappointed with this post when I read it yesterday. Also, it looks like they deleted a comment on their post from someone else who was disappointed and called them out on their FUD.
Much better, but they're still arguing that somehow, non-EV certificates with identity validation are more valuable than DV certificates because users are going to look up the certificate details.
> We think that validation of a certificate’s owner is an important point that needs to be highlighted and discussed. Recent developments in SSL automation are fantastic from a technical point of view, however, consumers need to be educated on this new security paradigm and the appropriate signals to look for when making a security determination. Looking for ‘https’ and a lock in the browser bar, the traditional indicators that have been messaged as reliable, may not be so reliable anymore when it comes to the consumer definition of security.
This is laughable. It's been hard enough to get users to check for the presence of a security indicator at all. Most don't even know the difference between DV and EV, and EV certificates do have a strong visual indicator. OV certificates don't have any, except
Hell, I might not realize in time that my online banking session only has a DV certificate today instead of EV and I'm a professional.
Sure, I sometimes check which CA a particular site is using, out of curiosity. But no normal user is ever going to do that on a regular basis.
> Additionally, any time we receive a report of abusive activity and/or fraud involving a certificate, Namecheap works with CA’s to investigate the reported sites, and CA’s often take quick action to revoke site certificates as a result. This third-party revocation capability is important; it provides an additional layer of post-issuance protection.
Soo... How does that protect me as a Namecheap customer? Buying from Namecheap doesn't mean that an attacker couldn't request a Let's Encrypt certificate anyway, unless you use cert pinning and you can do that with free certificates. There are some enterprise use cases where you'd just pin the CA instead of single certs, but those only matter at scale.
Namecheap is right about OV certificates being more trustworthy than DV ones, but the thing is - it doesn't really matter.
> Additionally, given recent developments, we strongly believe that additional education is required on the correct signals for consumers to use when making a security determination; browsers must necessarily shoulder some of this responsibility,
Like.... EV certificates? C'mon, browser vendors aren't going to add another security indicator just to protect your revenue.
Yeah, their points are all pretty shaky. I've been a fan of Namecheap for awhile because of their past support for a better internet, but it's extremely disappointing to see this post from them.
I guess I didn't expect them to put their profits over what's best for the web.
Thanks for posting here to clear things up. (Sometimes deleting tweets can cause more confusion than it removes.)
Does the blog post I linked to reflect the opinion of most of Namecheap, though, really? I like Namecheap and I would be disappointed if the majority of the company believed that all free CAs will be operated like Let's Encrypt.
I don't think we're making a blanket statement about "all free CAs" here. Encryption is one important aspect that free SSL providers offer, validation and trust is another that isn't offered by most.
I respect that. I hope free certs will be a boon for the EV cert industry, since businesses will need to stand out more as trusted.
Perhaps, though, you could pass it along to whomever it concerns, that the blog post reflects poorly on Namecheap. It's obviously targeting Let's Encrypt, but it uses vague phrases like "SSL certs from free providers" that _do_ come across as blanket statements.
That could mean a few things, but either way, things are looking good for site owners.