Selling Epik and #1 SSL CA Sectigo (formerly Comodo SSL) partner. DNEncrypt to be Intermediate CA.

[INFJ]

Great news everyone!

Yesterday, Epik entered into a 2 year operating agreement with SSL market leader Sectigo (formerly Comodo SSL) to become an intermediate certificate authority to issue SSL certificates across all brands of Epik Holdings, Inc.

This will allow all sites in the SSL lander network to be equipped with Domain Validated (DV), Extended Validated (EV) or Organization Validated (OV) certificates instead of the current LetsEncrypt certificates.

This is important because we don't know for how much longer LetEncrypt will allow the creation of bulk SSL certificates to produce SSLs for free at will, even for organizations with lots of IPv4's as we have.

We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

More announcements coming, but for now, this give us a 2 year window to become a full Root CA while delivering on the vision for DNEncrypt as an alternative to LetsEncrypt.

Please let me know if you have any questions.

Tin Nguyen

@Rob Monster

 

[Rob Monster]

So how is this a bad thing? I know for your usecase you'd like to be as independent as you can possibly get but how would using Sectigo be any different? If I'm not mistaking they can be concidered the marketleader so wouldn't that leave you vulnarable to the same thing? Also, they're owned by an equity firm so... don't need to explain my concerns about that.

As for ratelimiting, its's even worse actually. You can use it with ipv6 so the number of ips you can use to request certs from are 'limitless'.



Do I understand correctly that you think that sectigo expect that people will upgrade their DV certs used for landers to EV certs lateron? Or is that your projection? I think that's the only part where DNEncrypt could make a real difference. Affordable/free EV certificates. Integration for Toki is cool though. I love that project.

But, how is allowing anyone to generate a cert a bad thing? Its the encryption that matters and they are audited by Webtrust just the same, following set industry standards. I wouldn't say theres no vetting or curating.

I don't buy into that article you linked. It's all whatif/then/else/or... hearsay. The same 'security issues' can be attributed to any CA.



I think this is where the real win is for you. To be clear, I'm not trying to attack you but merely engaged as the content of the post from OP doesn't do justice to the huge accomplishment of LetsEncrypt.

Now what I'm really curious about is will you be looking into offering affordable/free EV certs? I think that could disrupt the market even more and be a real gamechanger. Securitywise.

Thanks @NameDeck

Comments:

- As an intermediate CA, we are still holding keys. Sectigo holds the master signing key but we will hold the keys for the certs we issue. The engineering work for doing that very securely is in progress. The guys we have responsible for it know what they are doing.

- Decent chart here comparing DVs:

We are issuing a Commercial DV with some added overlay of vetting, i.e. where some certs don't get issued in order to earn trust. As to how many upgrade from our free DN Encrypt DV to a paid Cert, we'll see but since we have an entire value chain to upsell, the SSL is a viable point of entry.

- As for EVs, we secured wholesale pricing for EVs, and other premium certificates. We'll see what we can do there to be as competitive as possible. I am not aspiring for a race to the bottom but am comfortable with the idea of passing through savings.

- I want to explore introducing a Forever Cert, just as we have Forever domains. There will be a discussion with Sectigo about that one. A lot of people innovate around "Free" or "Unlimited" but I personally like "Forever". We did the same with cloud storage with Armored.net.

Thanks for all the awesome input!

 

[Internet.Domains]

Thanks @NameDeck

Comments:

- As an intermediate CA, we are still holding keys. Sectigo holds the master signing key but we will hold the keys for the certs we issue. The engineering work for doing that very securely is in progress. The guys we have responsible for it know what they are doing.

- Decent chart here comparing DVs:

Show attachment 136928

We are issuing a Commercial DV with some added overlay of vetting, i.e. where some certs don't get issued in order to earn trust. As to how many upgrade from our free DN Encrypt DV to a paid Cert, we'll see but since we have an entire value chain to upsell, the SSL is a viable point of entry.

- As for EVs, we secured wholesale pricing for EVs, and other premium certificates. We'll see what we can do there to be as competitive as possible. I am not aspiring for a race to the bottom but am comfortable with the idea of passing through savings.

- I want to explore introducing a Forever Cert, just as we have Forever domains. There will be a discussion with Sectigo about that one. A lot of people innovate around "Free" or "Unlimited" but I personally like "Forever". We did the same with cloud storage with Armored.net.

Thanks for all the awesome input!

Love the idea if innovating around "Forever" instead of "Free."

I can't be the only one in the world who questions intent and consequences when I see the word "Free."

 

[branding]

If you mean CloudFlare, they still have a free plan but you share a SSL certificate with ~50 total strangers. That does not seem like a genius move to me but for each his own.

If you mean BitMitigate, we do have free BitMitigate bundled with products like SSL landers, and cPanel hosting. It is tightly bundled in the Resilient Domain service.

The revenue model of BitMitigate is self-sustaining. If you use a free CDN/DDoS service, then you have to ask again Cui Bono? I am pretty sure you know that CloudFlare started out as "Project Honeypot".

Do a Toki search: https://toki.com/?q=cloudflare project honeypot

You find gems like this: https://www.projecthoneypot.org/about_us.php

No, I actually referred to Bitmitigate. I got a mail some months(?) ago they were dropping the free plan and I should pick a payed plan. Kinda killed it for me as a standalone service. I have some pops in DCs that provide quite decent DDOS protection so decided on a DIY alternative

Good info you posted on CF. For those who aren't up to speed, give it a read. I'm still using CF actually (both business account and free plan) but always use my own Certs on top for the same reason you stated.

 

[Rob Monster]

No, I actually referred to Bitmitigate. I got a mail some months(?) ago they were dropping the free plan and I should pick a payed plan. Kinda killed it for me as a standalone service. I have some pops in DCs that provide quite decent DDOS protection so decided on a DIY alternative

Good info you posted on CF. For those who aren't up to speed, give it a read. I'm still using CF actually (both business account and free plan) but always use my own Certs on top for the same reason you stated.

Yup, got it. I think you might have a winning combo there. DN Encrypt + CF might be the chance to have your cake and eat it too.

As for BitMitigate, once Toki servers are all over the place, we may bring back the free CDN option. It is capital intensive to provide free CDN. Someone is paying for that.

 

[JB Lions]

-wrong thread-

 

[branding]

Thanks @NameDeck

Comments:

- As an intermediate CA, we are still holding keys. Sectigo holds the master signing key but we will hold the keys for the certs we issue. The engineering work for doing that very securely is in progress. The guys we have responsible for it know what they are doing.

- Decent chart here comparing DVs:

Show attachment 136928

We are issuing a Commercial DV with some added overlay of vetting, i.e. where some certs don't get issued in order to earn trust. As to how many upgrade from our free DN Encrypt DV to a paid Cert, we'll see but since we have an entire value chain to upsell, the SSL is a viable point of entry.

- As for EVs, we secured wholesale pricing for EVs, and other premium certificates. We'll see what we can do there to be as competitive as possible. I am not aspiring for a race to the bottom but am comfortable with the idea of passing through savings.

- I want to explore introducing a Forever Cert, just as we have Forever domains. There will be a discussion with Sectigo about that one. A lot of people innovate around "Free" or "Unlimited" but I personally like "Forever". We did the same with cloud storage with Armored.net.

Thanks for all the awesome input!

Thank you for your clarification. Appreciate you taking time to give some insight into the process and underlying vision. Very transparent, nice. Will follow this continuing forward as it seems like a good onestop offering, especially for endusers!

So Forever Certs... great idea. It would save a lot of people from the embarassment of forgetting to renew/resign a cert before it expires I would suggest though to make certs valid for just a limited time and not max it out to beyond 1 year. Like you will auto issue a new cert each 90 days, forever, without the client having to manage anything. Securitywise longlasting certificates are a vulnerability. Your dev/tech teem is superb. They'll figure it out

 

[branding]

Yup, got it. I think you might have a winning combo there. DN Encrypt + CF might be the chance to have your cake and eat it too.

As for BitMitigate, once Toki servers are all over the place, we may bring back the free CDN option. It is capital intensive to provide free CDN. Someone is paying for that.

Definitely. Operating a well performing CDN is extremely expensive! I read a good article on how CF was able to afford doing it but can't find it bookmarked anywhere. If I come accross it I'll post it here on NP.

Thanks for the info!

 

[Rob Monster]

When does Toki officially launch? I tried Black Friday and got 20 results for Namepros on page 1, don't think shoppers are looking for a domain forum, why is that there? The site is basically telling me to use DuckDuckGo. There is still tweaking that needs to be done?

A bit off topic but will comment on Toki:

- It is live as a public beta. It is getting some steady improvements.

- You can set and save your search preferences here: https://toki.com/preferences . Click the engines tab. NamePros is one of the engines enabled by default.

- The big focus now is finishing the Toki server -- a decentralized Linux server that can be deployed for under $100 to anywhere in the world and can provide an internet onramp to many. It is looking good.

You can expect some AI in Toki in due course. The intent is for it to evolve into a highly private transactional smart agent for content, community and commerce. If we do it right, it should improve your life!

 

[Randolph]

Yes, did that and also went to the CA SOS site, which includes some periodic updates. What you found there is a cover sheet with a single paragraph amendment. The full Articles of Incorporation or Bylaws of the Corporation seem extremely hard to find on any public site, which is interesting since they are incorporated as a California Public Benefit Corporation.

On the California SOS website, you get only this:

Show attachment 136913

I am no expert on Public Benefit Corporations, but I believe they are required to file some additional disclosures including Public Benefit Reports.

It is super-cool that they have issued more than 800 million SSLs:

Show attachment 136914

Question is: Cui bono?

The cover and attachment Item 2b (unique to "public" purpose companies) were the only documents required for filing.

Articles of Incorporation are required to be public, while Bylaws are not. Many companies choose to publicly display them for transparency, as they should.

Bylaws are created by the founder at time of conception and can be tough to find as they don't always display or label them — I believe the following was meant to be ISRG's "bylaws" or at least satisfies the definition:
https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

Either way, you are correct that transparency is lacking and no one should have to dig through archives much less head to, mail, or call 1 Letterman Drive.

Hope this helps. I'm sure you're aware of most of this, just helping teach the cohort.

 

[Rob Monster]

The cover and attachment Item 2b (unique to "public" purpose companies) were the only documents required for filing.

Articles of Incorporation are required to be public, while Bylaws are not. Many companies choose to publicly display them for transparency, as they should.

Bylaws are created by the founder at time of conception and can be tough to find as they don't always display or label them — I believe the following was meant to be ISRG's "bylaws" or at least satisfies the definition:
https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

Either way, you are correct that transparency is lacking and no one should have to dig through archives much less head to, mail, or call 1 Letterman Drive.

Hope this helps. I'm sure you're aware of most of this, just helping teach the cohort.

Thanks Randolph.

The main thing I am trying to understand is the mechanism for voting control and in particular for the mechanism for triggering and approving a change of control event.

The scenarios that I would be vigilant against would be things like these, ranked in order of severity:

- Sudden change of policy around non-issuance of (free) certs based on black box policy.

- Undisclosed change of policy on who has access to which keys.

- Sudden change of control.

LetsEncrypt has clearly done something innovative, as did CloudFlare. The question is whether that is entirely benevolent, or whether there is a hidden agenda.

For example, we know that Facebook was backed by In-"Q"-Tel, a known VC front for a 3 letter agency that I won't name. It is free, but you pay by willingly self-profiling yourself and your social graph. Handy!

It is odd that a Public Benefit Corporation issuing 800 million SSLs with some of the highest encryption around, has governance cloaked in secrecy.

The topic is a familiar one for me because I see the same nonsense with WIPO and RDAP where "law enforcement", defined as "authorized individuals" to have the ad hoc right to pierce the privacy veil,

Sure, I might be reading too much Orwellian Animal Farm into the narrative, but I prefer to err on the side of caution, protecting clients, while using discernment as to who to serve or not serve.

 

[Ostrados]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

 

[INFJ]

Hi @Ostrados, great question! What type of certificate did you purcahse from GoDaddy? I ask, because the cost of SSL\TLS certs. is not compared by encryption 'strength'. (256 bit encryption is the current de facto). Keep in mind that it isn't your digital certificate that supports TLS 1.3 and it's cipher suites, rather it's your server.

If your web server supports TLS 1.3, then a 256 bit encryption channel can be negotiated if the browser supports it too. Certificate cost variance is typically due to the level of assurance you wish to provide your customers. To answer your question however, it depends on how you define "secure". Does "secure" include trust and assurance?

These are the most common types of SSL/TLS certs you can obtain for your site.

Domain Validated (DV) - This is the most inexpensive cert. and provides the least amount of assurance (although the 256 bit encryption is still extraordinary) and this is also what LetsEncrypt issues everyone. There is almost nothing to vet about your business besides you are the owner of the domain name.

Organization Validated (OV) - An OV-certificate authenticates the owner of the site and requires legitimate business information for that company. The validation process for these certificates is longer and more detailed. The Certification Authority not only verifies the fact that you own the domain, but also the fact that you are the owner of the company. The company must be in a business registry database and in a trusted online directory. E.g DnB.

Extended Validation (EV)- The higest level of trust as your business is vetted to the maximum. With this cert, comes the green bar of trust for customers to take notice of.

LetsEnrypt does not offer code signing certificates, OV or EV cert. types. They also do not provide any sort of warranty nor customer support, which significantly helps their good cause. DNEncrypt will be able to offer certs. across the spectrum - from code signing and DV, to OV and EV but we also provide customer support.

I hope this helps.

Thanks,

Tin Nguyen

 

[Ostrados]

@Tin Nguyen thanks for the answer, I think I have DV, I am not sure if customers distinguish between DV, OV or EV. Regarding the green bar I noticed that it is not shown in Chrome which is strange to be honest! while in Firefox it is shown. So again how can and end user using Chrome distinguish?

I start thinking maybe paid SSL is waste of money after all, unless there is some technical reason otherwise, I remember that I read somewhere that free SSL is self signed certificate, while paid SSL is signed by certificate issuer (ec: Godaddy) maybe that is big plus for security?

thanks

 

[branding]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

@Tin Nguyen summed it up nicely.

In short, judging by what you're paying you probably just have a DV SSL. Paying GoDaddy $70 is throwing money down the drain.

Get a cheaper solution or use Letsencrypt. Ask your host. If you're using one of the regular panels (Cpanel/DA) there should be an option to secure your website with a free SSL in the panel.

 

[branding]

@Tin Nguyen thanks for the answer, I think I have DV, I am not sure if customers distinguish between DV, OV or EV. Regarding the green bar I noticed that it is not shown in Chrome which is strange to be honest! while in Firefox it is shown. So again how can and end user using Chrome distinguish?

I start thinking maybe paid SSL is waste of money after all, unless there is some technical reason otherwise, I remember that I read somewhere that free SSL is self signed certificate, while paid SSL is signed by certificate issuer (ec: Godaddy) maybe that is big plus for security?

thanks

Chrome changed it from being a green padlock as they will start blocking not secure websites entirely.

You will notice a grey padlock though. Free SSL isn't self signed so there are no trust issues for browsers and your connection will be encrypted to the same level as when using any other Cert.

 

[Ostrados]

@Tin Nguyen summed it up nicely.

In short, judging by what you're paying you probably just have a DV SSL. Paying GoDaddy $70 is throwing money down the drain.

Get a cheaper solution or use Letsencrypt. Ask your host. If you're using one of the regular panels (Cpanel/DA) there should be an option to secure your website with a free SSL in the panel.

Actually is is super easy to do it yourself I applied free LetsEncrypt to one of my websites using Linux commands, but for may main website with traffic I am hesitated to do so and I feel more secure using Godaddy paid one.

 

[branding]

Actually is is super easy to do it yourself I applied free LetsEncrypt to one of my websites using Linux commands, but for may main website with traffic I am hesitated to do so and I feel more secure using Godaddy paid one.

Yeah, if you now your way around the CLI its very easy to setup. Do you use a panel as well or pure CLI?

 

[Ostrados]

Yeah, if you now your way around the CLI its very easy to setup. Do you use a panel as well or pure CLI?

No I don't use cPanel I just use Linux command line (I use VPS not shared hosting).

 

[Furquan]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

Let'sEncrypt only provide DV certificate which is not good for site who deal in selling, where the customer uses a credit card to purchase. Where the customer requires to input their data. Here is a good post on a different type of SSL and why it's important to choose OV ssl instead of DV.

https://www.leaderssl.com/articles/236-the-difference-between-dv-and-ov-certificates

 

[branding]

Let'sEncrypt only provide DV certificate which is not good for site who deal in selling, where the customer uses a credit card to purchase. Where the customer requires to input their data. Here is a good post on a different type of SSL and why it's important to choose OV ssl instead of DV.

https://www.leaderssl.com/articles/236-the-difference-between-dv-and-ov-certificates

That article is one hot mess by a company trying to upsell their certificates.

There are valid reasons to use OV/EC certs but security definitely isn't one of them.

 

[Furquan]

There are valid reasons to use OV/EC certs but security definitely isn't one of them.

My point is DV certificate is good if you have a simple website where you just blog. But do you think you will use DV certificate on your online store? I will definitely not use DV for that type of my website. There are still tons of people who don't use Letsencrypt for that reason and paying a hefty amount to other companies who provide OV and EV SSL.

DNEncrypt will play a big role in the coming days as people want some trusted player who offers OV and EV SSL at a reasonable price.

 

[branding]

My point is DV certificate is good if you have a simple website where you just blog. But do you think you will use DV certificate on your online store? I will definitely not use DV for that type of my website. There are still tons of people who don't use Letsencrypt for that reason and paying a hefty amount to other companies who provide OV and EV SSL.

DNEncrypt will play a big role in the coming days as people want some trusted player who offers OV and EV SSL at a reasonable price.

From a security point of view there's no reason why you shouldn't 'just' use a DV cert. I use only one EV cert and thats not even for a store.

OV/EV certs are about trust, not security. It's just the notion of trust. It's easy and cheap to set up some limited and obtain an OV. EVs are a bit better as they check you have been in business for a certain amount of time (3 years?) I think. They can be worth the cash.

Still, processing sensitive data is just as secure as using a DV cert. That being said, you don't know if the backend is secure. If a website is secured by a cert, who says the underlying backend, database or whatever is processing your data is doing it in an ecrypted form?

Thats the big issue with people using cloudflare to wrap SSL around their site. In a lot of cases there is no end-to-end encryption leaving a lot of room for MITM attacks. The data gets endcypted/decrypted when talking to the origin servers... not a good thing. Lots of people using it have no way to use Full(strict) SSL, lack the knowledge or cannot be bothered to.

Thats where I think DNE could actually make a difference as from what I understand the full chain, end-to-end, will be encrypted.

For people who don't trust DV certs, I'd suggest to be carefull on NP as well as look... a DV certificate

 

[INFJ]

DNEncrypt's CA is on pace to go live soon! We'd appreciate your feedback on our logo selection. I personally, like A1, but what do you guys think? Please let us know if you'd like to see more concepts, or different color schemes, icon, etc. Thanks!

 

[tonyk2000]

Is it just me or A1 looks like NameSilo logo color scheme? And, in all cases, DNE is like something separate: DNE+ncrypt. Yeah it is the domain structure, but it should be possible to eliminate this effect in logo

 

[Lox]

A6 only

People are soft-memo at elaborating and recalling the specific features of the logo. The outlines must be strong (secure) and from the inside, capable of associating with me (key, similar)... from the perspective of an end user. The colors used for the "secure" logos is not in the line of peoples perception ("security" blue, "secure" green).

Regards