The handling of this has been quite terrible. The article is the first "good" communication about an event that started 7 hours prior. And according to the communication will take another 4 days to solve completely.
Before this, the Technical Solutions Director tweeted solutions that did not work for end users, but highlighted a typical IT centric approach to problem resolution ("Works, What's the problem?") [1]
For anyone not already aware, check out Let's Encrypt. I am evaluating it for about 200 domains now in earnest after having it on my horizon for some time. At least to have it ready as a fallback. [2]
Getting 200 EV certificates in a hurry from a different CA has been costly this morning.
I've been on HN for nearly as long as pg has so feel free to give me a shout here if you have any questions. It's past midnight in the UK right now so I'll answer them tomorrow morning. If you prefer email: mike@certsimple.
Tried it out for the heck of it. Unfortunately Dun & Bradstreet has old address information for my company and their account creation system is broken (error 'CEPDEV101' when creating an account). So the "3 hour" validation will take a lot longer, through no fault of CertSimple's.
Thanks bakavic. Our UI is currently built for desktop since most of our customers are coming from desktops - there's some data entry and we use things like webcrypto and HTML5 clipboard that may not be available on mobile platforms. We're going to improve the mobile experience in future but have other higher priority items (like better DBA support!) on our roadmap first.
That is a good point. I guess the move to Let's Encrypt is a change in mindset completely. Away from Marketing snake-oil to a simple solution to a technical issue.
EV certificates do not add additional security as far as I am aware, it's simply a measure of extended validation of the customer, which in my experience is only fluff.
So going with Let's Encrypt may as well do the full cycle and sell this free solution to non-technical people who believe EV provides additional value.
> EV certificates do not add additional security as far as I am aware, it's simply a measure of extended validation of the customer,
Correct.
> ...which in my experience is only fluff.
Depends on what you want to accomplish. If you just care about getting to SOME website with a secure connection than a DV certificate is all you need.
But take my employer: Capital One. We're a bank. When people go to https://www.capitalone.com it is important that they get our website. ALSO, though, it is important that when people go to https://www.capitalοne.com that they do NOT get some malicious website. (Can't see the difference? What glyph did I use for the letter "o"?) This is just one example of how an EV certificates can be useful for certain purposes, although it may not apply to your business.
Before this, the Technical Solutions Director tweeted solutions that did not work for end users, but highlighted a typical IT centric approach to problem resolution ("Works, What's the problem?") [1]
For anyone not already aware, check out Let's Encrypt. I am evaluating it for about 200 domains now in earnest after having it on my horizon for some time. At least to have it ready as a fallback. [2]
Getting 200 EV certificates in a hurry from a different CA has been costly this morning.
[1] - https://twitter.com/vanbroup/status/786548172864626690 [2] - https://letsencrypt.org/