[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

iang iang at iang.org
Sat Apr 19 20:08:29 EDT 2025 

On 19/04/2025 00:43, Christian Huitema wrote:
> On 4/18/2025 1:03 PM, iang via cryptography wrote:
>
>> All of this could have been bypassed if the browser/site system had
>> simply negotiated a single-site self-signed certificate. But, oh, no, we
>> can't encourage that because it will cause the chaos of ages, cute
>> pupies will die and CAs won't earn their rent.
> Isn't the "CA's rent" argument a tiny bit obsoleted by Let's Encrypt?


Simplistically, LE does that. But look a little deeper and it doesn't 
change much.

Back in day, up to the end of the 00s, the CAs controlled the patch with 
millions of certs being issued per year for money. Nice business if you 
can get it.

But, in around 2005 if memory serves, we figured out that the security 
model was fundamentally flawed - it could never work if HTTP and HTTPS 
co-existed - the browser could not successfully present the proper 
security framework in any reliable fashion when the two protocols were 
both in operation. (So, phishing...)

So we proposed to eliminate HTTP. All webservers go HTTPS. It probably 
took at least 10 years to reach 80% (for afficianados of OODA loops).

But as the web progressed from millions of HTTPS plus 100s of millions 
of HTTP sites towards 100s of millions of HTTPS, it was obviously clear 
that HTTP could not be deprecated if the tiny little ordinary websites 
had to also pay for certs. LE stepped into that gap - it handled the 
won't-pay-for-certs bottom feeding market. Leaving the will-pay market 
for the fee-charging CAs. (I was working on CAcert for much of that 
time, and CAcert made the strategic blunder of becoming a high quality 
CA...)

So the end effect was that LE got all the won't-pays and the commercial 
CAs kept the will-pays. With a little branding and prejudice, your 
serious website wouldn't be seen dead with an LE cert, so still good 
money to be made in printing numbers.

In sum, for sure, this was a big effect, but not as devastating as one 
would think.


iang

More information about the cryptography mailing list