I love the concept, not sure about open source security but it should be a good thing.

Sadly, when I look at their site all I see is a $10k do-follow link opportunity....

Here's the technical page, for those that want it [letsencrypt.org...]

Wow... Free certificates are nothing new but their FAQ claims that their certificates are trusted by everything but Windows XP! If that's true this is a huge step forward.

Sounds like a good step forward. I'll take open source security over closed any day. Open source can be independently audited by many parties, and my level of trust that it wouldn't have government back doors is higher.

Is there any downside to this or should we all stop using those paid certificates?

In terms of session security there is essentially no difference. There are differences in how some of the more expensive certs verify domain ownership and there is insurance that comes with some of them.

The only real downside to free certificates is browser trust. None of the free certs are trusted by all major browsers which makes them useless for public applications.

If these certificates are indeed trusted then I see no reason for most websites to continue using paid certificates.

Why do I cynically think that all these "free" certificates will have a limited "used by" life?

In the not too distant future - when all those thousands of new users have come on board:

"Oh your certificate is soon due for renewal, unfortunately rising costs have now forced us to impose a "renewal fee" of $XXXXX"

Nah! I'm just a cynic.

Yep you are :-) Renewing a certificate is the same process as replacing it with a different one so it's not as if a user is locked in to a specific provider.

XP is still a big install base. I read XP is almost 17% of all computers.

Good way to get them to upgrade though.

I often wonder if https push is all about advertising. Remember when some ad firms (like Google) were getting some of their AdSense ads poached/replaced by ISP's a few years ago? Suddenly Google and a bunch of other ad firms got the religion on https (which makes it very difficult for time warner/comcast and the usual suspects to tamper with Google searches between Google and the end user.

XP is down to below 8% and falling: [gs.statcounter.com...] and unsupported on XP usually means unsupported by IE on XP. Anyone still using IE on XP must have a thoroughly cracked system.

I am happy to try Lets Encrypt at this stage: next time I need SSL for a non-critical site I will try it.

@Brett, it probably is, but its still a good thing.

Remember when some ad firms (like Google) were getting some of their AdSense ads poached/replaced by ISP's a few years ago?

I don't really care about Google's motivation here, as long as it means that the delivered content can't be tampered with, and the visitors are harder to track for third parties.

Now if all that was a bit easier to implement it on a shared hosting plan...

While free SSL, assuming it's trustworthy, is a good thing so we can completely secure the web, there's also a dark side to this that I don't think anyone was anticipating. I fear the hackers, phishers, spammers and other vermin will find something bad to do with these free certs that will blow our minds. Previously SSL had to be verified so anyone needing an SSL connection on the down low had to hack an SSL site, assuming they could find a way in, and then use a folder on that site to do their dirty deeds, like a secure man-in-the-middle attack, phishing schemes, etc. Now they can just set up SSL shop on any abandoned domain they've infiltrated and have a field day.

Imagine what would happen if some nefarious person infiltrated a domain park and had full access to literally tens of thousands, if not millions, of domains and could make them all secure as well?

I don't even want to think about it.

How hard is it for any jerk to set up SSL on any domain you might ask?

To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls example.com. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

Provisioning a DNS record under example.com, or
Provisioning an HTTP resource under a well-known URI on https://example.com/

[letsencrypt.org...]

Requiring the DNS record is good, that would stop most hackers unless they had access to your registrar account as well this is usually not the case. However, the HTTP resource can be easily created once you have access to the server so VOILA! let the good times roll.

Hopefully I'm wrong and this won't make life easier for the bad guys but my gut tells me they've already figured out new scams using this free SSL service and it's going to be a wild trip now that the only thing stopping them from looking legit, a paid for validated SSL cert, is no longer trustworthy.

Nicely done.

Not.

Scammers will no doubt use it. But it should be noted that many paid certs use the same verification.

Well what I said was going to come true already has in part, this was that when Google told everyone to start switching to HTTP that they would start ranking HTTPS over all others. Back when HTTPS was more of a signal of quality and security, that was a good thing as it could easily weed out all the non HTTPS crap out there.

Now that we have these free SSL certs the HTTPS signal is 100% meaningless.

1 step forward, 2 steps back.

Amen

Having an SSL certificate is not going to stop someone from hacking your server/guessing your password and putting in nefarious content on your pages. It's mostly to stop man-in-the-middle attacks/ad insertions and anyone who might be sniffing in on the connection between computer and website server.

As for a ranking boost, AFAIK it was only ever a minor factor and mostly good under a "when all else is equal" decision.

I don't really care about the ranking aspect. Having all sites move toward an encrypted standard will cut out a lot of signals that can be picked up over the ether. I wouldn't write off the benefits of thwarting ad/malware/content insertion so lightly.

You still need a paid cert to achieve the desired green lock on most browsers, so there are still levels of certification that will show enhanced quality if that's an issue for the SEs.