Selling Epik and #1 SSL CA Sectigo (formerly Comodo SSL) partner. DNEncrypt to be Intermediate CA.

[INFJ]

Great news everyone!

Yesterday, Epik entered into a 2 year operating agreement with SSL market leader Sectigo (formerly Comodo SSL) to become an intermediate certificate authority to issue SSL certificates across all brands of Epik Holdings, Inc.

This will allow all sites in the SSL lander network to be equipped with Domain Validated (DV), Extended Validated (EV) or Organization Validated (OV) certificates instead of the current LetsEncrypt certificates.

This is important because we don't know for how much longer LetEncrypt will allow the creation of bulk SSL certificates to produce SSLs for free at will, even for organizations with lots of IPv4's as we have.

We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

More announcements coming, but for now, this give us a 2 year window to become a full Root CA while delivering on the vision for DNEncrypt as an alternative to LetsEncrypt.

Please let me know if you have any questions.

Tin Nguyen

@Rob Monster

 

[tonyk2000]

Cui bono? If *they* really wanted to have all the internet secured with ssl/tls, the most logical way would be to "whitelist" self-signed certificates. Instead of showing a bunch of red warnings for self-signed ssls... and instead of starting this letsencrypt project. Anybody can obtain domain validated ssl for almost any domain using letsencrypt or cpanel-powered instant sectigo cert, which is also free and 3 months long. It proves that the requester owns the domain name (or has technical control). So does self-signed certificate (one should be able to point the domain to a server in order to run a website with a self-signed certificate). Real encryption is the same. The only practical difference is that it is still not easy to run a clone of lets say paypal.com with self-signed cert. locally (and somehow hack dns of the nearest public wifi hotspot to send paypal visitors to a clone). But such a difference is caused by extended validation (paid) ssls if we think about it...

So, free-for-all ssls are, honestly, one big nonsense. Imho. They serve no purpose. Except that the browsers with their default settings are checking validity of each and every ssl each time the "secure" website is loaded. So, somebody has access to all (ssl-protected) website names visited by each particular individual. What a surveillance klondike for the orwellian society. Sorry if offtopic, but hope it is OK - still Epik related

 

[Rob Monster]

Cui bono? If *they* really wanted to have all the internet secured with ssl/tls, the most logical way would be to "whitelist" self-signed certificates. Instead of showing a bunch of red warnings. Anybody can obtain domain validated ssl for almost any domain using letsencrypt or cpanel-powered instant sectigo cert, which is also free and 3 months long. It proves that the requester owns the domain name (or has technical control). So does self-signed certificate (one should be able to point the domain to a server in order to run a website with a self-signed certificate). Real encryption is the same. The only practical difference is that it is still not easy to run a clone of lets say paypal.com with self-signed cert. locally (and somehow hack dns of the nearest public wifi hotspot to send paypal visitors to a clone). But such a difference is caused by extended validation (paid) ssls if we think about it...

So, free-for-all ssls are, honestly, one big nonsense. Imho. They serve no purpose. Except that the browsers with their default settings are checking validity of each and every ssl each time the "secure" website is loaded. So, somebody has access to all (ssl-protected) website names visited by each particular individual. What a surveillance klondike for the orwellian society. Sorry if offtopic, but hope it is OK - still Epik related

Thanks Tony.

When it comes to free anything with no apparent strings attached, some healthy skepticism seems appropriate. I have not done a deep dive on the governance of LetsEncrypt, but I like the idea of there being alternatives, just as BitMitigate is an emerging alternative to "free" CloudFlare, and with no hidden agenda.

So, I think your comment is not off-topic at all. That being said, what is a "Surveillance klondike"?

Is that like a "Covfefe" or did you invent a new expression that is begging an explanation so the rest of us can keep up with that sharp intellect of yours?

 

[tonyk2000]

That being said, what is a "Surveillance klondike"?

Not covfefe. Sorry, I'm not thinking in English It seems I translated the phrase wrong. I simply meant the The Klondike Gold Rush - Canada, between years 1896 and 1900, gold "fever" or whatever was it called. And added it as adjective implying "golden, perfect, great" with the "Surveillance" noun.

 

[Rob Monster]

Unfortunately just when it's emerging they dropped the free tier?

If you mean CloudFlare, they still have a free plan but you share a SSL certificate with ~50 total strangers. That does not seem like a genius move to me but for each his own.

If you mean BitMitigate, we do have free BitMitigate bundled with products like SSL landers, and cPanel hosting. It is tightly bundled in the Resilient Domain service.

The revenue model of BitMitigate is self-sustaining. If you use a free CDN/DDoS service, then you have to ask again Cui Bono? I am pretty sure you know that CloudFlare started out as "Project Honeypot".

Do a Toki search: https://toki.com/?q=cloudflare project honeypot

You find gems like this: https://www.projecthoneypot.org/about_us.php

 

[Rob Monster]

No, I actually referred to Bitmitigate. I got a mail some months(?) ago they were dropping the free plan and I should pick a payed plan. Kinda killed it for me as a standalone service. I have some pops in DCs that provide quite decent DDOS protection so decided on a DIY alternative

Good info you posted on CF. For those who aren't up to speed, give it a read. I'm still using CF actually (both business account and free plan) but always use my own Certs on top for the same reason you stated.

Yup, got it. I think you might have a winning combo there. DN Encrypt + CF might be the chance to have your cake and eat it too.

As for BitMitigate, once Toki servers are all over the place, we may bring back the free CDN option. It is capital intensive to provide free CDN. Someone is paying for that.

 

[INFJ]

Hi @Ostrados, great question! What type of certificate did you purcahse from GoDaddy? I ask, because the cost of SSL\TLS certs. is not compared by encryption 'strength'. (256 bit encryption is the current de facto). Keep in mind that it isn't your digital certificate that supports TLS 1.3 and it's cipher suites, rather it's your server.

If your web server supports TLS 1.3, then a 256 bit encryption channel can be negotiated if the browser supports it too. Certificate cost variance is typically due to the level of assurance you wish to provide your customers. To answer your question however, it depends on how you define "secure". Does "secure" include trust and assurance?

These are the most common types of SSL/TLS certs you can obtain for your site.

Domain Validated (DV) - This is the most inexpensive cert. and provides the least amount of assurance (although the 256 bit encryption is still extraordinary) and this is also what LetsEncrypt issues everyone. There is almost nothing to vet about your business besides you are the owner of the domain name.

Organization Validated (OV) - An OV-certificate authenticates the owner of the site and requires legitimate business information for that company. The validation process for these certificates is longer and more detailed. The Certification Authority not only verifies the fact that you own the domain, but also the fact that you are the owner of the company. The company must be in a business registry database and in a trusted online directory. E.g DnB.

Extended Validation (EV)- The higest level of trust as your business is vetted to the maximum. With this cert, comes the green bar of trust for customers to take notice of.

LetsEnrypt does not offer code signing certificates, OV or EV cert. types. They also do not provide any sort of warranty nor customer support, which significantly helps their good cause. DNEncrypt will be able to offer certs. across the spectrum - from code signing and DV, to OV and EV but we also provide customer support.

I hope this helps.

Thanks,

Tin Nguyen

 

[branding]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

@Tin Nguyen summed it up nicely.

In short, judging by what you're paying you probably just have a DV SSL. Paying GoDaddy $70 is throwing money down the drain.

Get a cheaper solution or use Letsencrypt. Ask your host. If you're using one of the regular panels (Cpanel/DA) there should be an option to secure your website with a free SSL in the panel.

 

[Furquan]

There are valid reasons to use OV/EC certs but security definitely isn't one of them.

My point is DV certificate is good if you have a simple website where you just blog. But do you think you will use DV certificate on your online store? I will definitely not use DV for that type of my website. There are still tons of people who don't use Letsencrypt for that reason and paying a hefty amount to other companies who provide OV and EV SSL.

DNEncrypt will play a big role in the coming days as people want some trusted player who offers OV and EV SSL at a reasonable price.

 

[branding]

Honestly, I don't like any of them.

 

[Bernard Wright]

old logo before a rebrand
Show attachment 138998
New logo after a rebrand

Why Use a Sectigo Trust Seal
https://ssl.comodo.com/site-seal

Regards

Fair point. Notice that the old graphics are not pretty and whimsical. Perhaps they spoke to audiences of a time gone by, and the companies chose to remove the artwork for a reason. ...that reason being that the brands were better off without the art.

The graphics proposed look more modern, for sure. But they also look friendly. Neither of the examples above look friendly.

 

[branding]

After the problem has been identified by @NameDeck and @Bernard Wright , it is important to fully define a strategy to solve the problem Let's start with the basic

Show attachment 139009

lol, if it wasn't for the holiday season I would play ball

 

[BrandEntrance.com]

Not covfefe. Sorry, I'm not thinking in English It seems I translated the phrase wrong. I simply meant the The Klondike Gold Rush - Canada, between years 1896 and 1900, gold "fever" or whatever was it called. And added it as adjective implying "golden, perfect, great" with the "Surveillance" noun.

I like Surveillance Klondike better, now I know what you meant. Anything that is gold. Totally klondike.

 

[Rob Monster]

GoDaddy: $63.99 /yr. and NameCheap: $7.88 /yr. It is for 1 DV cert. (not a wildcard). Individual discounts are likely available in both cases. One would guess that GoDaddy is able to sell some charging ~9 times more. Since I am not a big fan of letsencrypt, and prefer to have normal 2-years certs, something <$10 per domain per year for the simpliest 1-domain dv cert. sounds OK for my needs. Which is what I am paying now (if a real website needs to be "secured", not domain-for-sale lander). Many other users are of similar opinion, so there is still a market for normal certs even with free cpanel/directadmin/etc certibot addons offering good automation for free certs.

Did you say free? Must be for epik-regged domains?

Commercial DV 90-day certs will be FREE.

It will compete directly with LetsEncrypt.

The upsell is to the paid certs.

Details on the pricing to follow soon. We actually need to move some volume on paid certs because of quarterly "take or pay" commitments with Sectigo.

 

[INFJ]

Preview of DNEncrypt.com v1 found here:

https://projects.invisionapp.com/share/YGVCCLD58AQ#/screens/398573008_Home_Page_1

NP community thoughts and input would be invaluable to us and very much appreciated!

 

[tonyk2000]

@Rob Monster - would we see an opportunity to add the third certificates source to built-in cpanel/whm client? Any plans to work with CPANEL on this, or prepare some sort of 3rd party addon?

As this time, cpanel offers a selection between letsencrypt and sectigo 3 months certs. This is configured on server management level (WHM).

Similar question re. DirectAdmin (as the second ssl source).

 

[netlas]

We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

Google is a major backer of LetsEncrypt.

 

[equity78]

@Rob Monster is there any formal press release?

 

[NYJimbo]

LetsEncrypt isn't going anywhere, and its free. All of my hosting customers (windows and linux) use them.

 

[tonyk2000]

(quote begin)

To increase trust in the application of PKI technology, the CA/Browser Forum has mandated that a CA, in order to issue Publicly-Trusted Certificates, obtain an audit report under a qualified audit scheme performed by a qualified auditor.

In order to issue SSL certificates, most CAs will need to complete an approved independent third-party audit. There are three alternatives. The first is an audit against WebTrust for Certification Authorities criteria, issued by the WebTrust for Certification Authorities Task Force-a joint task force of the American Institute of Certified Public Accountants and the Chartered Professional Accountants of Canada (CPA Canada). Specifically, WebTrust for Certification Authorities and WebTrust for Certification Authorities – SSL Baseline Requirements Audit Criteria have been developed to meet the CA/Browser Forums Baseline SSL Requirements.

Another alternative for an independent third-party audit is an audit that conforms to ETSI EN 319 411-1 or ETSI EN 319 411-2. These standards are published by the European Telecommunications Standards Institute (ETSI).

Also available, but rarely used is an audit that conforms to ISO 21188:2006

(quote end)

Source: CA/Browser Forum

I belive the above is applicable (and originally intended) to those Certification Authorities who issue Extended Validation (EV) Certificates to begin with, and/or to Root CAs (I may be mistaken here).

Even though the requirements for Intermediate CAs (Epik/DNEncrypt case) may not be that strict from practical point of view, may I ask was Epik/DNEncrypt audited, and, if so, by whom and what is an outcome of said audit ("official" signed document, is it published, can we read it)?

 

[branding]

In case not aware, LetsEncrypt throttles production. Right now, that throttle is a relatively generous 300 SSLs every 3 hours for every unique IP for a maximum length of 90 days. This is described in the published rate limits for the ACME API and are subject to change:

https://letsencrypt.org/docs/rate-limits/

Now, with a /22 IPv4 you get 1022 usable IPs. So, theoretically someone with a /22 could produce more than 2 million unique SSLs per day. Now, let's suppose a bunch of clever folks decided to do that for domains and subdomains, pretty soon you would have a crap load of free SSLs out there and all of a sudden LetsEncrypt is the market leader in SSL/TLS. It has probably already been done with subdomains.

So how is this a bad thing? I know for your usecase you'd like to be as independent as you can possibly get but how would using Sectigo be any different? If I'm not mistaking they can be concidered the marketleader so wouldn't that leave you vulnarable to the same thing? Also, they're owned by an equity firm so... don't need to explain my concerns about that.

As for ratelimiting, its's even worse actually. You can use it with ipv6 so the number of ips you can use to request certs from are 'limitless'.

Officially, in market share reports, I don't see LetsEncrypt being counted as reports show Sectigo as the overwhelming market leader My sense is that what Sectigo sees in this partnership is allowing free 90-day certs to be issued makes a clear path to upgrading to higher end certs as the digital brands transition from landers to sites. This is a classic "Point of entry" strategy for Sectigo. DNEncrypt can help there. Win-win.

Right now, LetsEncrypt allows anyone to issue certs. There is basically zero vetting or curating. Why should browsers trust it when it puts thugs and crooks are on the same level as honorable site operators? At some point, LE can systematically begin banning domains. Who decides? Not sure. If national governments can turn off the internet, can those governments pressure LE to block certs for those countries? Possibly.

Do I understand correctly that you think that sectigo expect that people will upgrade their DV certs used for landers to EV certs lateron? Or is that your projection? I think that's the only part where DNEncrypt could make a real difference. Affordable/free EV certificates. Integration for Toki is cool though. I love that project.

But, how is allowing anyone to generate a cert a bad thing? Its the encryption that matters and they are audited by Webtrust just the same, following set industry standards. I wouldn't say theres no vetting or curating.

I don't buy into that article you linked. It's all whatif/then/else/or... hearsay. The same 'security issues' can be attributed to any CA.

The final notable thing that our engineers recognized is that there will be some important challenges in the network architecture for Toki servers going forward where we might have a very large number of decentralized Toki servers, e.g. 1 million Toki servers in a few years from now. Each one has to maintain end-to-end encryption with no risk of man in the middle attacks, even if no VPN is installed on the client.

As you can see, there is some logic to why we felt it wise to vertically integrate this competency in order to complete the stack. This arrangement gives us 2 year window to do it well, while navigating the decision on how to become a Root CA. I am happy with it and think Sectigo is too.

I think this is where the real win is for you. To be clear, I'm not trying to attack you but merely engaged as the content of the post from OP doesn't do justice to the huge accomplishment of LetsEncrypt.

Now what I'm really curious about is will you be looking into offering affordable/free EV certs? I think that could disrupt the market even more and be a real gamechanger. Securitywise.

 

[tonyk2000]

By the way, does Epik *acting as CA* have plans to offer normal paid 1-2 years ssl certs for external domains, not necessary for sale domains or Epik-regged domains? Pricing? The best I found so far are from NameCheap and from their ssls.com brand (cheaper).

 

[tonyk2000]

I may be too paranoid, but I never trusted Cloud Flare. Yes it does work. But, what or who is really behind them... They appeared out of nowhere (almost). With advanced infrastructure. And tons of IPs (even though the lack of IPv4 addresses problem was already serious at that time).

 

[branding]

If you mean CloudFlare, they still have a free plan but you share a SSL certificate with ~50 total strangers. That does not seem like a genius move to me but for each his own.

If you mean BitMitigate, we do have free BitMitigate bundled with products like SSL landers, and cPanel hosting. It is tightly bundled in the Resilient Domain service.

The revenue model of BitMitigate is self-sustaining. If you use a free CDN/DDoS service, then you have to ask again Cui Bono? I am pretty sure you know that CloudFlare started out as "Project Honeypot".

Do a Toki search: https://toki.com/?q=cloudflare project honeypot

You find gems like this: https://www.projecthoneypot.org/about_us.php

No, I actually referred to Bitmitigate. I got a mail some months(?) ago they were dropping the free plan and I should pick a payed plan. Kinda killed it for me as a standalone service. I have some pops in DCs that provide quite decent DDOS protection so decided on a DIY alternative

Good info you posted on CF. For those who aren't up to speed, give it a read. I'm still using CF actually (both business account and free plan) but always use my own Certs on top for the same reason you stated.

 

[branding]

Thanks @NameDeck

Comments:

- As an intermediate CA, we are still holding keys. Sectigo holds the master signing key but we will hold the keys for the certs we issue. The engineering work for doing that very securely is in progress. The guys we have responsible for it know what they are doing.

- Decent chart here comparing DVs:

Show attachment 136928

We are issuing a Commercial DV with some added overlay of vetting, i.e. where some certs don't get issued in order to earn trust. As to how many upgrade from our free DN Encrypt DV to a paid Cert, we'll see but since we have an entire value chain to upsell, the SSL is a viable point of entry.

- As for EVs, we secured wholesale pricing for EVs, and other premium certificates. We'll see what we can do there to be as competitive as possible. I am not aspiring for a race to the bottom but am comfortable with the idea of passing through savings.

- I want to explore introducing a Forever Cert, just as we have Forever domains. There will be a discussion with Sectigo about that one. A lot of people innovate around "Free" or "Unlimited" but I personally like "Forever". We did the same with cloud storage with Armored.net.

Thanks for all the awesome input!

Thank you for your clarification. Appreciate you taking time to give some insight into the process and underlying vision. Very transparent, nice. Will follow this continuing forward as it seems like a good onestop offering, especially for endusers!

So Forever Certs... great idea. It would save a lot of people from the embarassment of forgetting to renew/resign a cert before it expires I would suggest though to make certs valid for just a limited time and not max it out to beyond 1 year. Like you will auto issue a new cert each 90 days, forever, without the client having to manage anything. Securitywise longlasting certificates are a vulnerability. Your dev/tech teem is superb. They'll figure it out

 

[branding]

Yup, got it. I think you might have a winning combo there. DN Encrypt + CF might be the chance to have your cake and eat it too.

As for BitMitigate, once Toki servers are all over the place, we may bring back the free CDN option. It is capital intensive to provide free CDN. Someone is paying for that.

Definitely. Operating a well performing CDN is extremely expensive! I read a good article on how CF was able to afford doing it but can't find it bookmarked anywhere. If I come accross it I'll post it here on NP.

Thanks for the info!