Bad enough when some scrappy little startup comes to town and disrupts your profit margins into oblivion. Even worse–to any right-thinking capitalist–when a motley crew of idealistic do-gooders sneaks into your barn and sets one of your cash cows free. But what can companies do when faced with this sad and eternal truth: why buy your cow when they can get its SSL certificates for free?
Well, if you’re a domain registrar like NameCheap or GoDaddy, you fight back with the only weapon you’ve got: spraying fear, uncertainty and doubt like a skunk under attack. I’m normally a big fan of Namecheap, the registrars of record for a dozen domains I own. It’s sad to see them stoop to such lows. (Needless to say I expected nothing better of GoDaddy.)
eta: seems I spoke too soon / was too dismissive of GoDaddy – seems that after I wrote this piece, but before it was published, they saw the light and took down their anti-free-SSL piece.
Here’s an archive.org snapshot of it in case you’re curious.
The curare in their coffee of late is Let’s Encrypt, a new certificate authority founded by Mozilla and the EFF (among others), which offers SSL1 certificates for free, as in beer. (SSL1 certificates make it possible for server-browser communications to be protected. Those signed or cross-signed by the Certificate Authorities built into your browser also prevent Man-in-the-Middle attacks, and, more importantly, run automatically without the browser asking for acceptance.)
Let’s Encrypt launched their public beta just this month. It’s early days yet: their certificates need to be renewed every 90 days, don’t support wildcard domains, require some command-line skills, etc. But still. These certs are free. Which may explain why they’ve already issued 100,000 of them. The result?
Suddenly, Namecheap and GoDaddy have decided that the real value they provide is verifying that the people who buy their SSL certificates are who they say they are. Namecheap argues that
there’s a big difference between encryption and security … the true value in Paid SSL security arises from knowing that the owner of the cert is who they say they are, not simply that they have control of the domain they applied with … any site that gathers customer data requiring protection and trust should, as a matter of course, use OV or EV SSL from known and trusted CAs. The levels of encryption, validation, and trust that business and commerce websites require to provide security in the consumer sense, not only encryption, are delivered via these validated products.
I’m sorry, Namecheap, but this is insulting nonsense. (And this is the revised version of their post, edited after “valuable feedback from the netsec community”; here’s the original.) Some of it, eg the phrase “the levels of encryption,” is flatly factually wrong. (Even GoDaddy gets that right.)
Even if there are a meaningful number of users out there who think that the little lock in their browser means the site on the other end has been carefully validated as safe and trustworthy by a reliable team of experts, this is not a delusion that should be perpetuated. Credit-card details and a few API calls do not verify trustworthiness.
What’s more, any web provider who shops around can and will eventually find another SSL provider who will supply them. Even if they somehow don’t, they can simply host their site as a subdomain of a vastly larger provider, such as Heroku or Google App Engine, who provide SSL for all of their clients for free. (Or, as Chad Kreimendahl points out in the comments, just put it behind CloudFlare’s SSL.)
(It’s true that the entire X.509 Certificate Authority system is basically a fundamentally broken can of Lovecraftian worms that needs to be replaced with something better. But right now it’s pretty much all we’ve got.)
Let’s Encrypt already checks with the Google Safe Browing API, and doesn’t issue certificates for sites flagged there. That’s more than good enough. The Internet is moving towards ubiquitous encryption everywhere, as it should, and attempts to pretend that reliable organizational validation can and should be performed at the certificate level, that there are “premium” and “cheap” levels of SSL/TLS, or that e-commerce sites should only be encouraged (or even allowed) to secure themselves with overpriced paid certificates, are at best counterproductive and at worse actually evil. For shame.
1Well, TLS, really, ish, though I think SSL is stuck in the collective lexicon for now.