Hacker News new | past | comments | ask | show | jobs | submit login

I am genuinely curious as to how much this will affect the cert providers commercial business? Other than Lets Encrypt not being able to issue EV certs. Does anyone have a resource that talks about this?



I hope it hurts them enough that they stop with the shady business practices.


Decreased revenue tends to lead to even shadier business practices though.


When we moved our certs away from COMODO we received a sales call from one of them. They found the contact info for an executive here and told them that by replacing our COMODO certs with another brand, we were at "tremendous" risk for not having our websites work on the latest iPhones and iPads.

The entire call (which we ended up pulling and listening to, and then sent back to COMODO as a prime example as to why we're threw with their business) was designed to have a non-technical decision maker make an impulse decision over the phone to buy thousands of dollars worth of certificates again.

Wildcard certs from Let's Encrypt cannot come soon enough.


Fortunately (and unfortunately) all the way up to the assistant vice president came from software engineers and systems engineers. So when Comodo did their little scam, the AVP called bullshit on them and told them off. (The unfortunately is that some of the higher ups are technically exceptional, they have low regard of people skills).

We're on LE for 90%. There's a client (there always is...) that demands Network Solutions certs. Yet they cannot put to words why that's their need, other than stupid bullyish business practices.

We're still trying to wrap our heads how LE plans to offer wildcards.. But I digress.


Ugh, when I was a security analyst for an enterprise, I'd occasionally have Network Solutions call me and try to sell me certificates. I'd explain that it's not my decision, you've got the wrong person, how did you get this number and turns out they'd call the front desk or the help desk and say they found a security hole on our public facing websites. The security hole was that we used another company for our certs.

The real security hole was that the operators were patching through salesmen directly to the security staff without verifying who they were...


Yes, the real security hole was 'operations' not sufficiently validating credentials and being a proper gatekeeper.


> There's a client [...] that demands Network Solutions certs.

Are you billing them for the extra cert, and for the extra work that using a non-standard CA implies?


Im not privy to billing discussions unfortunately. I know how we get the certs; we just tell our contact that we need a long cert for X machine, and 2-3 days later, it shows up in our email.

It's a pain,but we have only 14 machines we oversee, with 3 year certs on each. Nagios takes care of alerts within 60 days, so we can easily get the request in time.


I'd listen to that :D


I don't see how it would help, once you use lets encrypt no amount of not-shadiness would ever make you go back to them ever again.


They may still be able to warrant their fees by providing customer support for companies that need it, but I agree most people will never look back.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: