Mastodawn

"Let's Encrypt is a golden example of how creating inalienable good is possible with the right approach and the right values. And while I'm excited about the work Let's Encrypt has done, I am eager to see their work continue to keep up with the growing Web; to sustain encryption for everybody at Internet scale. To do so is going to take more than me—it's going to take a community of people committed to this work. I am confident Let's Encrypt is a project that deserves all of our support, in ways both large and small." https://letsencrypt.org/2025/03/18/community-of-funders/

Ten Years of Let's Encrypt: Announcing support from Jeff Atwood

As we touched on in our first blog post highlighting ten years of Let’s Encrypt: Just as remarkable to us as the technical innovations behind proliferating TLS at scale is, so too is the sustained generosity we have benefited from throughout our first decade. With that sense of gratitude top of mind, we are proud to announce a contribution of $1,000,000 from Jeff Atwood. Jeff has been a longtime supporter of our work, beginning many years ago with Discourse providing our community forum pro bono; something Discourse still provides to this day.

Adam Hawkes Mar 18, 2025

@codinghorror I can only wonder if Let's Encrypt will work its way into the "consumer" level communications field to encourage encrypted e2e interpersonal communication for all.

adison verlice Mar 18, 2025

@hawkesnest how would you want them to do that? i'm actually curious to how they cold do it. though there is no doubt in my mind they can

Adam Hawkes Mar 18, 2025

@adisonverlice no idea! The thing is, they didn't invent certificates, they made a way to easily get them and use them. I expect they would have the know-how to add encryption to interpersonal communications effectively. It was more of an aspirational thought than anything.

adison verlice Mar 18, 2025

@hawkesnest yeah but how would they actually do that. you think they could make, say, a standard that adds alongside the public switched telephone network that encrypts calls to traffic?

Adam Hawkes Mar 19, 2025

@adisonverlice maybe? I'm no expert. But we've had PGP for email for some time, but the key management / signing is complicated for most people. Plug-ability is required to streamline the process.

Lutin Discret Mar 18, 2025

thank you @codinghorror you rock! 👍

Tobias Mar 18, 2025

@codinghorror Kudos! Thats very kind of you to do.

Mike Johnson Mar 18, 2025

@codinghorror that's amazing and such an important service

Nick Mar 18, 2025

@codinghorror very cool! Your donations remind me of the pineapple fund in a great way https://en.m.wikipedia.org/wiki/Pineapple_Fund

Pineapple Fund - Wikipedia

petrol Mar 18, 2025

@codinghorror don't jinx it 😮

Aral Balkan Mar 18, 2025

@codinghorror @trending_bot Related, longer-term thought, in case it interests you: getting @letsencrypt to work with @opennic would put us on a path to set domain names free from the commercial system (after which we could try to get the EU to force browsers to support OpenNIC natively).

https://mastodon.ar.al/@aral/114173316981178689

#OpenNIC #LetsEncrypt #freeTheDomain #domainNames #internet #identity #decentralisation

Aral Balkan (@[email protected])

@[email protected] @[email protected] @[email protected] You’re not wrong. But, looking ahead, we can do so much better than the commercial domain name system. Commercial domain names are a gold standard example of artificial scarcity. A domain name registrar cost next to nothing to operate. It’s tiny rows of text in a database. It could easily be free to own your own domain name – a huge part of what constitutes identity – on the Internet. In fact, a non-commercial service has been operational for 24 years. It would be trivial to regulate that browsers in the EU implement support for it and work together with, say, @[email protected] to ensure it can handle TLS. That would be an amazing addition to the commons and a future-proof way forward that we could lead on with next to no investment. #domainNames #DNS #openNic #LetsEncrypt #EU #commons #internet #freedom #ICAAN

Aral’s fediverse server

Dave Winer ☕️Mar 18, 2025

i don't agree that let's encrypt is good, at least not the way google and the eff promote it and treat https as a requirement as if they were the platform vendor of the web. the great thing about the web is that there is no platform vendor.

they premise their pitch on the idea that https is always good, but for sites that predate the broad adoption of https, it's not only unlikely someone is around to adapt the site, but it might be such a big job that it's impossible.

Dave Winer ☕️Mar 18, 2025

that's the problem when big companies drive the evolution of a platform. they have no concept of how it has been used, they're like the DOGE kiddies in DC, just wrecking things because they can.

more here.

https://this.how/googleAndHttp

Google and HTTP

Google is a guest on the web, as we all are. Guests don't make the rules.

Magnus Ahltorp Mar 18, 2025

@davew @codinghorror Let’s encrypt is a bandaid on the broken system that is HTTPS, TLS, X.509 and CAs.

Dave Winer ☕️Mar 19, 2025

@ahltorp @codinghorror

maybe they should have taken a step back and done it right, and worked with developers for backward compatibility so the web could grow without breaking its past. the archive function of the web is super important. but google and eff didn't know that apparently, didn't care, or didn't listen.

i'm esp pissed at EFF, i gave them $5000 when they started it, and that was a lot of money for me then, but they treat me as a nobody, and didn't care they were breaking my work.

Jeff Atwood Mar 20, 2025

@davew @ahltorp is it dog, or is it cow? Something to ponder while using the bathroom 😉

Dave Winer ☕️Mar 20, 2025

@codinghorror @ahltorp

no one knows!

Robert Mar 20, 2025

@[email protected] @[email protected] I always thought it was both 🤷🏻‍♂️

(Isn't that Clarus the dogcow, that which says "Moof!"?)

Jim Luther Mar 20, 2025

@robert @codinghorror @daveW this Technical Note explains it all. https://512pixels.net/wp-content/uploads/S3/Technote%2031%20-%20The%20Dogcow.pdf

Bill Vinson Mar 20, 2025

@codinghorror @davew @ahltorp that is a great looking print. I've been meaning to order one of Susan Kare's shop, but never can make up my mind (though Clarus would be high on the list)

americanjeff Apr 24, 2025

@codinghorror @davew @ahltorp moof

Ed Hurtley Apr 24, 2025

@codinghorror @davew @ahltorp moof

David Grierson Apr 24, 2025

@codinghorror @davew @ahltorp

Moof!

🇺🇦 haxadecimal 🚫👑Apr 24, 2025

@codinghorror @davew @ahltorp
Yes. Of course it is

TonyC Apr 24, 2025

@codinghorror @davew @ahltorp It depends on where in the world you're looking at it. Moof!

nefelibata Apr 24, 2025

@codinghorror @davew @ahltorp clearly a dog. A cow does not pee with its leg standing out.

Matija Nalis Mar 22, 2025

@ahltorp
to be fair, of that enumarated list, it is only the "trust random CA by default" idea that is completely broken.

If you run your own private CA and remove all other CAs from your browser list, it is very good idea and works great to only trust your approved sites!

What is broken is idea that just because someone paid some amount of money (or if they can prove temporary control of the domain in case of LE) that it somehow means the whole world should trust them!
@davew @codinghorror

Magnus Ahltorp Mar 22, 2025

@mnalis @davew @codinghorror I get what you mean, and I agree that the CA part is the most broken, but the SSL/TLS idea of making security “transparent” is also broken.

For better-than-nothing-security it works, but any real security needs to be bound to the application layer. The whole practice of TLS offloading is a symptom of that brokenness.

Matija Nalis Mar 22, 2025

@ahltorp
Could you elaborate on that why you think it is less secure?

I find "transparent" (i.e. implicit) TLS (e.g. HTTPS == HTTP over TLS on TCP/443) to be MORE secure than L7 app-layer security (e.g. SMTP STARTTLS over TCP/25), because it avoids MitM attacks that skip encryption phase.

Of course, you could forbid communication if STARTTLS was skipped for example, but then it behaves like implicit TLS with extra unhelpful step. I.e. it's useless security wise.

@davew @codinghorror

Magnus Ahltorp Mar 22, 2025

@mnalis @davew The application layer has no idea if the communication is encrypted, and even if it does, it has no idea who it is talking to. There can be any number of MitM, and there often is.

STARTTLS only delays authentication/encryption, it doesn’t automatically bind it to the application layer.

But I guess TLS is so ingrained now that proper application layer encryption is almost unknown.

Dave Winer ☕️Mar 23, 2025

@ahltorp @[email protected]

i'm far from an expert on the technology of HTTPS, but I do know this -- you have no choice but to trust Google, who makes the dominant web browser. They get all your keystrokes and text in the clear. Any encryption system requires that but only a fool would put a surveillance capital company in that role. what are the chances they abuse the privilege? your mileage may vary, but it's not a good design for that reason alone.

Magnus Ahltorp Mar 23, 2025

@davew HTTPS is much more than web browsers, though. A lot, probably most, of the API traffic in the world uses HTTP.

But you are correct, Google is a very bad company to give access to your sensitive clear text. Their incentives are clearly not aligned with the users.

Matija Nalis Mar 23, 2025

@ahltorp
AFAIK, all TLS MitM that exist are either due to users trusting random CAs (e.g. your typical corporate firewall "protection"), or due to users allowing nonencypted connections to exist (e.g. sslstrip).

TLS allows for both sides to be authenticated (although in most cases it is only server that is authenticated), and it allows passing encryption info to the app (see e.g. https://httpd.apache.org/docs/current/mod/mod_ssl.html for details)

As for APIs, they use same broken CA trust model as browsers...
@davew

mod_ssl - Apache HTTP Server Version 2.4

Matija Nalis Mar 22, 2025

@davew
how is LE & EFF conflated with Google here? Let's Encrypt doesn't force you to install https support, they only provide simple and free way to do it *should you CHOOSE to do so*.
As for legacy sites (if you want to appease Google too), it is actually quite easy to put a reverse-proxy https in front of your legacy box and thus give it "https" support. But unadmined sites that are on autopilot might die due to other problems too (e.g. security issues, defacement risks)...
@codinghorror

Dave Winer ☕️Mar 22, 2025

@mnalis @codinghorror

"But unadmined sites that are on autopilot might die..."

this is the problem, where did you get the idea that the web is something for you to screw around with. we're all guests on the web and guests don't make the rules. this is so objectionable. it's like musk deciding the us doesn't need social security so we might as well give him our money.

Dave Winer ☕️Mar 22, 2025

@mnalis @codinghorror

as far as why are eff and google "conflated" because that's where eff gets their money. a pretty good source of conflation imho. you may feel differntly of course.

Matija Nalis Mar 22, 2025

@davew
Ummm, we are talking about #EFF as in Electronic Frontier Foundation, right? According to https://annualreport.eff.org/ less than 2% of their funds are corporote sponsors; vast majority are coming from private individuals (e.g. like you and me) donations. Can you give the source where you've got the idea that "EFF gets their money from Google"?
@codinghorror

EFFs 2023 Annual Report

Check out EFF's newly released 2023 Annual Report to see how we won big for digital privacy and civil liberties in local to global venues—thanks to the support our members, funders, and allies.

EFF's 2023 Annual Report

Matija Nalis Mar 22, 2025

@davew
What? I never said (nor implied) that "web is something for me to screw with"!

Instead, my "But unadmined sites that are on autopilot might die" was a statement of statistical fact based on my sysadmin/webmaster experiences.

Just like "if you never service your car it will start getting problems and die eventually". You and I might not LIKE it, but that is how entropy seems to work in this Universe. Good luck fighting the laws of physics if you disagree with them 😉
@codinghorror

Matija Nalis Mar 22, 2025

@davew
In case it wasn't clear, I was talking from webmaster perspective (or "host" if you want to use your client="guest" analogy). So, yeah, host chooses what are acceptable ways to visit their site. If they say HTTPS-only, and you refuse to use HTTPS, you just won't be able to open that site. Same if they only offer HTTP, and client insist on HTTPS.
I offer both (except on site requiring credentials for access, which are always encrypted, for hopefully obviously reasons).
@codinghorror

@codinghorror good on ya, Jeff. 😎

Steve Hill Mar 18, 2025

@codinghorror Nice, Jeff. Thanks for your contribution.

adison verlice Mar 18, 2025

@codinghorror how about the 6day expiration certificates? what do you think about those?

adison verlice Mar 18, 2025

also yes, letsencrypt is great. I have used letsencrypt and if I can ever get a new server to issue certs, will continue to do so.

Blake Smith Mar 18, 2025

@codinghorror LetsEncrypt is definitely going on the list of organizations my family will be supporting with our giving! ❤️ I really want to build more critical internet infrastructure in the image of their model. I wish we could pull a LetsEncrypt for public code hosting and package repositories.

Thank you, on behalf of my servers and myself. You're a good person, and those are now rarer than they should be.

TechTrav Mar 18, 2025

@codinghorror as long as it doesn't mean you're selling them to Atlassian...