Last year, a customer bought a very expensive Symantec certificate for their website (that is not hosted by us).

They got the certificate and everything seemed nice. We got paid and all everything.

And yesterday, the customer called and said that their certificate has stopped working. I thought "that is strange" so I visited their site and what I saw was horrible.
The site has used and still used a Let's Encrypt certificate. The webdevs they have had not bothered to install the very expensive Symantec certificate for $1500...

Ouch

WTF! 1500 for a certificate :S what type of certificate is it?
We bought a certificate from Digicert in my previous job and cost 175$ a year, Symantec had it at 500$
What is the difference between them?

@gitpush @g-m-f

It has a Secure Seal, that will show up on google search result.

@Linux oh this explains everything thanks man

@Linux ...or it doesn't if you don't install it 😄

Hate this freakin greedy encryption mafia. 1500 bucks for something that doesnt Lift security but has benefits in search results and Browser bars is just a shame. Since they havent even noticed it was missing should be the best argument to stick to letsencrypt

@sick
LE on a big e-commerce site? Fuck that

@Linux whats the matter? The only Problem i can imagine is connection speed to the CA, but its not that bad?

@sick hmm? I don't get the point. Why is this important? The certificate the site uses will be delivered by the sites servers, not by Let's Encrypt. The only time you need LE is when you (re)new your certificate (at least every 90 days). The root cert is part of the trusted browser certs.

@ebroda well you need to validate the certificate with the CA as end User to authenticate the server you are talking to since otherwise you got an encrypted connection but might be talking to a man in the Middle. This would mean any visitor has to contact LE as well - this is the point i was talking about. But if i'm wrong its even more ok to use LE, even for larger ecommerce, isnt it?

@sick
LE does not have EV,

@SISheogorath

I would argue that the knowledge about it is growing. I myself have talked to different people about it and one older lady said that once did the "Green bar" not appear on a certain website she often

visited. The additional verification is ok, they are calling the official number registeret by the "Tax department" (skatteverket here in Sweden) and asking to be connected to the person who claimed to be the person who did the order.

I do want that smartphones should show the "green bar".

Another aspect of Free SSL/TLS certificates - IPS/IDS systems become quite useless when bad shit is sent over HTTPS, so you can only detect virus/malware/other shit when they already is in your machine.

I am still very sceptical to Google involvment in Let's Encrypt - which the CA who issues certificates used in phising attacks, malware delivery and such far more than any other CA. But when Symantec fucks up a couple of hundred - google goes apeshit.

I dont trust that at all.

Otherwhise, I do get your point.

@SISheogorath
How can IPS/IDS systems detect HTTPS traffic without doing MITM? They can't.

Also, I never do workshops. That is something the people "under" me do :P