- Take the amount you paid for certificates last year
- Divide by any number, let's say 10
- Donate that amount to LetsEncrypt, and continue to get free certificates all year!
I agree with some commenters that it would be great to see LetsEncrypt bolster their revenue with reasonably-priced offerings such as wildcards and EVs. But you can't argue with the progress they've made so far. If there is enough community demand, I'm sure they'll get there.
Though their stats page[0] appears to be broken, last I heard they had surpassed 5 million certificates. To meet their current funding goal of $200k for a month, that equates to $0.04 per certificate per month, or $0.48 per certificate per year!
EDIT: Their stats page is back. Looks like they have reached 10 million certificates. So halve the above numbers!
I'd also like to point out that even if you never get a certificate from us yourself we're still helping to protect you when you browse any of the millions of sites we help to secure.
I need to preface this by claiming I have no idea what I'm talking about, but please bare with me:
The startup I perviously worked at paid around USD 2000 for 5 wild card certs from GoDaddy.
if Let's Encrypt charged even 10% of that, it's about $40/cert. Based on your estimate of 10 million certificates issued (and assuming that 90% of the users leave because it's not free)...that's ~1 mil certificates @ $40/cert => $40 mil.
Am I calculating this wrong somehow? (or how it this possible?)
Let's Encrypt doesn't charge anything for cert issuance; the 10% figure was someone's suggested donation based on being appreciative of cost savings. It's true that if Let's Encrypt did begin to charge $40 instead of $0 for certs, and maintained even a moderate percentage of current issuance rates, it would have revenue in the millions of dollars.
(Also, Let's Encrypt doesn't issue wildcard certificates at all.)
I've never paid for an SSL cert :/ Also, keep in mind that I'm just issuing them like they're peanuts now, because LE is there. Need to deploy a throwaway instance of my app? Random subsubsubdomain and a TLS cert, why not.
You can't really compare the number of free things you're using to the number of things you'd use if they weren't free.
Yeah, same here, while I had a cert, now I encrypt all my personal self-hosted stuff just because LE makes it free and easy (and this last part is not to be underestimated!).
Hmm. I'm skeptical that this approach is sustainable to cover the same $200k every month.
Is this truly needed to cover operations? In other words, when this falls short, are they in danger of going insolvent at some point?
I'd much rather they go some different path to cover the shortfall. Perhaps reasonably priced wildcard and/or EV certs, while leaving regular certs at the "free" price level?
They are not saying they would need to raise 200k from crowd every month. Instead:
"We decided to run a crowdfunding campaign for a couple of reasons. First, there is a gap between the funds we’ve raised and what we need for next year. Second, we believe individual supporters from our community can come to represent a significant diversification of our annual revenue sources, in addition to corporate sponsorship and grants"
>Perhaps reasonably priced wildcard and/or EV certs, while leaving regular certs at the "free" price level?
IDK, wildcard certs encourage really bad practices, and I don't see the LE team liking the idea of issuing them.
EV certs means a significant increase in costs to actually go through the processes required (audits, etc) so that browsers will accept them, and then the increased costs of doing due diligence when issuing certs. Unless they want to grow in that direction, it seems like a poor business choice.
Yes, it means they run the risk of going insolvent; despite the fanfare, and the pace at which they have moved themselves into a critical niche on the web, they are still an open source project, and are supported by sponsorships and donations.
I expect that there are some significant players that would invest to keep them around, but it can be hard to continue to making an impact when you subsist off of crumbs.
Could you elaborate on why wildcard certs are a bad idea? I've heard this from several sources, but I haven't read a breakdown of why people think this.
If I'm running a web application, and want to provide an interface where separate teams sign up and access their version of the app at team-name.your-app.com, what's the alternative? Or is it that this is considered unwise, and I should just put team-name in the URL path instead?
The primary issue with wildcard certificates is that it encourages certificate reuse between server environments. Even the act of transferring keys around carries a certain degree of risk. With a wildcard certificate though, say you have a very secure shopping site, and a user run forum:
Your wildcard certificate for * .example.com covers both domains, and can be shared between both servers. Nice! You've saved a bundle of money on certificates. But there's now a security risk: Say an attacker manages to compromise forums.example.com through some vulnerability in the forum software, and steals the private key for * .example.com. They can now set up their own server hosting checkout.example.com, successfully execute a Man in the Middle attack, and steal sensitive customer data without the end user being any the wiser.
Issuing separate certificates prevents this scenario by enforcing a separation of responsibilities. If each server has its own set of keys, then a security compromise on forums.example.com does not spill over to checkout.example.com, because the key used on one server is useless to impersonate the other. Obviously a key compromise at all is a bad situation, but you want to architecture your environment so that a compromise has the least potential to do damage, and that's the basic argument against wildcard certificates.
Good writeup. In addition, using discrete certificates makes managing them easier, whether for renewal, squashing SHA-1 and the like, or revocation. It can be a big headache to track down all the places a wildcard cert worms its way into at large, penny-pinching orgs.
FYI, it is possible to run multiple certificates on one IP+port if your SSL clients support SNI. Nowadays that's not too crazy an assumption, and creating on-demand certs is doable; integrating this with your service and managing renewal might be a pretty advanced task though.
In other words, a web app with custom subdomains is probably a reasonable use case for wildcart certs, for now.
I've been working on a rollout of LE for our platform that I'm honestly now thinking about pausing -- a crowdfunding campaign is the opposite of confidence-inspiring in terms of longevity.
Any chance LE can make some official statement regarding their operating budget/burn? My strong preference would be to use them but I can't recommend transitioning to someone trying to make up single months of Opex by begging for donations.
Diversifying income is something every responsible non-profit should be doing, and that's what this is. If I were you I'd be more worried if we didn't do something like this.
The bulk of our support comes from corporate sponsorship, another component is grants, and the third is individual donations. Individual donations are likely always going to be our smallest source of revenue but it's still an important source to develop.
We'll be around. Go ahead with your rollout, I hope it goes smoothly and that it inspires you to contribute back what you can.
Although it's not really intended for this sort of thing, I wonder if you could shoehorn Let's Encrypt into Patreon. If you're just trying to diversify your revenue it seems like Patreon would provide a more predictable cashflow than doing periodic crowdfunding campaigns.
They could just offer a simple subscription (yearly or monthly) with user-chosen price tag, aka recurring donation. Call it "individual sponsorship", make a pretty login window and a little dashboard once logged in, that's it. Like if we had to pay for a subscription to use LE, except we don't need to.
Yes! Patreon, Paypal, anything that has the ability to give a recurring donation. If they can get 20,000 people giving $5 a month then they have half their recurring costs. This is something I would consider giving at least $5/mo to along with wikipedia, united way, NPR, etc. Some efforts are just worth giving money to and recurring donations would be a lot more stable and valuable (even if smaller up front) than a one time $200,000 fundraising.
They already have at least $2.4m from the 10 platinum and gold sponsors. And at least $270k from the 27 silver sponsors. That's the minimum total, and we're already close to the $3m.
Plus it's part of ISRG, which is backed by Akamai, Cisco, Mozilla, EFF, and a few others.
It sounds very unlikely they'll fail to raise the $3m they need any time soon. I think they'll need some kind of other event to occur first before that happens -- like a security breach, or getting removed from the browsers.
It is disappointing that such campaigns are required despite the tremendous value being created.
Any useful service costs money to build and keep running. Perhaps easier renewals have led us to forget that efforts to make the internet more secure require a lot of hard work and resources (money). LetsEncrypt doesn't generate income by selling ads. Users ought to consider donating.
I would find this pretty useful on occasion. Not to mention, it makes more sense to me than selling cheap wildcards, because now you've got a product, and you're potentially encouraging poor security (as pointed out by other commenters in this thread). Seems much more aligned with the goal of Lets Encrypt in the first place.
Why not choose less US centric fundrising platform? There aren't any? For example I am missing choice of currency. If I were to donate in dollars I would have to pay bank twice for changing currency.
I assume that their expenses are in USD, so somebody will have to pay conversion fees. It's just a question of whether they're taken out before or after the number you put in.
You think that's a lot? I'm not trying to single you out and please don't take this as a personal attack. But it's disturbing to me especially in light of the dyn attack and others people STILL are not getting how badly our security infrastructure is horrendously broken and/or non existent on the net.
Letsencrypt are one of the good guys. They are fighting the good fight. With the admirable goal of trying to get the web moved entirely over to SSL. It's an uphill battle because we have decades of SSL being a pain in the ass to deploy and maintain. "But certificates are not hard to generate and deploy!" Over 50% of the web disagrees with you.
People have got to start taking this stuff seriously. Everyone should be donating monthly to OpenBSD for OpenSSH which everyone and their grandmother uses in their infrastructure but they take it for granted and don't donate. Which I personally find appalling that it's so widely used and yet supported so very little for such a vital part of everyones infrastructure.
SSL is the same way, it's a vital part of everyones infrastructure and both the OpenBSD folks and lets encrypt should be bankrolled by the tens of millions each year from both individuals and the corporations who use this software on a massive scale. Seriously, Cisco, Juniper, Oracle (yeah I know it was a waste of bits to type that name here), every corporation using SSH should be pouring millions into the OpenBSD foundation and you should all be ashamed and publicly called out for not doing so!
I agree with your comment, but I don't see what the first sentence has to do with the rest of the comment. Yes, security infrastructure is broken, yes it needs to be better, yes I think $200k per month is a lot.
Yes, LE are the good guys, and everyone should be donating mountains of money to them, and the bsd-folks. But that doesn't negate the fact that $200K a month is a crazy amount.
In what way is this a 'crazy amount'? If it were 100% personnel costs, it would only pay for a dozen or two people max. Is that an unreasonable number of people working on SSL?
There are literally thousands of people working at SSL companies. 1100 at Comodo alone.
You beat me to this sentiment. That was my thought exactly, 200K/mo is peanuts for a full time development team. And I am only talking salaries. Not perks, benefits, etc.
Which is why it is disheartening to me to hear anyone gasp at this request from LE. As you said there are many many companies using SSL that are spending truckloads a month on employee salaries, sending a 10,000 dollar check to LE each month for them should be in their own interest.
We are not holding corporations making millions off fundamental pieces of infrastructure like LE and OpenSSH accountable. These corps should really be ashamed and called out publicly for not donating healthy sums each month to these projects. IMO.
I assume that they are trying to get corporate donations, which tend to be bigger. If this is supposed to be only personal ones I doubt they can hit that goal
Edit it and remove the /web/20160506180535/ and /web/20160506180535im_/ from the PayPal form at the bottom.
Open it and click the PayPal donate button. (I would just paste the HTML code in this post, but I suspect giving people a PayPal hosted_button_id in an editable HN post would feel kind of sketchy, as opposed to getting it from the Internet Archive.)
I'll also ask to have the PayPal button put back somewhere during the crowdfunding campaign, which would be a lot easier.
They lock accounts on a whim and require extensive, unnecessary documentation to get your own money back. They recently settled a class-action suit because of this: https://www.accountholdsettlement.com/
They nearly always side with purchasers and reverse charges despite ample evidence supporting the seller.
Its fees are just sheer theft. I just used it for collecting money from friends for a small paintball event I want to organize, and it kept 10%! Seriously, people sent 5 euros, and I got 4.48, for no reason I can see.
Not to mention that currency conversion is a complete ripoff. I avoid PayPal like the plague.
Paypal's fees are 2.9% + $0.30 USD, which is pretty standard among commercial-level (and you were using it commercially, otherwise they'd have sent it as a gift) processors that don't require a merchant account. Braintree is 2.9% + $0.30 USD; Stripe is also 2.9% + $0.30 USD if you're under $1m/year.
I don't know anything about commercial stuff. All I know was that I wanted my friends to send me $5 so I could pay the paintball guy, and PayPal kept 10% of that.
How about a different type of funding model...Let's call it a "Refunder"
-A LetsCrypt certificate is ultimately free
BUT
-You must pay X amount of dollars to get one (a fair and low amount)\
-After 30 days, you can cancel/refund your payment
-BUT you still get to keep your certificate...
Probably in something like this, a fairly high percent of people will not bother to pay / are happy to continue to pay. LetsEncrypt certificates are still always free but at least this way human laziness means that LE important work can be sustainable into the future.
They'd lose so much money on processing fees. I'd imagine any processor would drop it like it's hot if you had a super high refund rate, even if on purpose.
Wouldn't it also break the whole automatic side of things?
Am I the only one disappointed when crowd funded projects offer so much in terms of rewards?
I get it when it comes to crowd funded products - actually getting the product - but do you really need the overheads of making and shipping (and in some cases handling returns) on physical rewards? Anyone in the know - How much does this eat into the raised funds?
Another comment here mentioned they're likely after corporate donations - I'm guessing they get processed outside of indiegogo?
I'm not sure that a single sticker for $50 really qualifies as a large reward. I'd be very surprised if these cost more than $2 per sticker, including distribution costs (note: the entire process from production to distribution is very likely to be outsourced).
It's nice to have some sort of recognition to people who give you money, it seems perfectly reasonable to me.
In this case it's actually done pretty tactfully, you're not effectively just paying for a new hoodie. I was more speaking in the general sense as a loud thought, in hindsight it's not really relevant to bring up in this thread.
I'd theorize that "hearts and minds" along with "brand awareness" as just as big and useful to them as the money itself. More awareness brings in more users, brings in more donors.
Plus, some people just won't give without getting. Which is why PBS continues to do donation drives where they give away Rick Steves books (or whatever it is these days).
I absolutely plan on contributing to the campaign and I totally get that the rewards are symbolic but I still found it a bit strange that while for $50 you get a sticker and for $100 you get a t-shirt, you get the same sticker + t-shirt if you contribute $250.
I wonder why they don't collect email addresses for people using their service. It would open all sorts of opportunities for marketing, soliciting donations, and also service announcements. I mean, I heard about this campaign on Hacker News, not directly from Let's Encrypt.
Also, I'd probably sign up for a small recurring donation if it was possible. Recurring donations could become a significant and reliable source of funding.
Edit: I am not suggesting they start spamming everyone and ask for money. An opt-in email list for topics not strictly related to service would be good.
We have a lot of email addresses provided for certificate accounts but we'd prefer to use them only when necessary, because that's what people had in mind when they gave them to us. When we collect email addresses via marketing efforts we may use them for future marketing efforts (with the appropriate opt-out options, of course).
They do have my email address, but I'm glad they did not (yet) use it to ask for money.
If you provide an email address to Let’s Encrypt when
you create your account, we’ll automatically send you
expiry notices when your certificate is coming up for
renewal. We send the first notice at 20 days before
your certificate expires, and more notices at 10 days
and 1 day before it expires.
I wouldn't ant another service begging me for money every month. I'd rather them just figure out a long term solution. I'd happily pay for it, I just hate marketing emails.
Why not just make it open source? And let other people work on it and just cover 3 people managing this + architecture costs. You don't need 2.9 mil per year to process 60k certificate requests a day with system that is practically finished. What else is there to do which open source community could not do it itself? Thousands of companies and developers use letsencrypt, a lot of potential man power to help if you ask me. You could easily cut costs 5-6 times. Or am i missing something here?
I think you're missing a number of important things here. We operate on a pretty small budget for what we provide. I doubt you'd be happy with a CA that operated with a smaller budget.
1) Our software is already open source. That doesn't mean we get the development work that we need when we need it for free. We are constantly working on various features and fixes that need to be deployed weekly if not more often, and usually based on a close working relationship with our operations team. Security fixes need to be produced in hours or less, not when a volunteer contributor gets around to it. Our engineers also spend a lot of time every day digging through hundreds of GB of logs to find or verify service issues.
Keep in mind that our software is deployed by very few people other than us, because in order for our software to be useful you need to have done a massive amount of other (expensive) work to set up the legal, compliance, and technical context.
2) I'm not sure where you get 60k requests per day as a representation of our system load. Between ACME API interactions and OCSP it's many millions.
3) The CA needs to be monitored 24/7. Our infrastructure is necessarily more complicated than your average web API or application, and it's constantly being maintained and improved. Open sourcing doesn't address the issue of having highly qualified and trained staff building and monitoring secure systems.
4) There is a huge amount of tedious compliance and legal work that has to be done in order for us to continue to operate.
5) We operate in a compliance environment (WebTrust/BRs/root program rules). We have a lot of obligations, mostly for good reasons, that make what we're doing very different from "write some code, throw it on GitHub, deploy on a cloud service and be done with it."
All their software is open source. You can run both the client and the CA server on your own.
But your CA server won't be able to sign any certificates that will be recognized by Mozilla, Google, Microsoft, etc. It takes time, energy, and expertise to be a CA authority that is trusted by those organizations.
I think that trying to scrimp and save is not worth the relatively small amount of money saved for something like this. We've seen over and over again that so-called "critical" open source projects cannot afford to operate that way.
> And let other people work on it and just cover 3 people managing this + architecture costs.
Um, Lets Encrypt, in the course of the last year has inadvertently become one of the largest issuers, and has become critical infrastructure for many of it's users who would suddenly have to pay for certificates, assuming they configured LE certs and Strict Transport Security. If LE was only 3 "managers" + cloud infrastructure, it wouldn't be reliable.
> You don't need 2.9 mil per year to process 60k certificate requests a day with system that is practically finished. What else is there to do which open source community could not do it itself?
The service isn't "practically finished", they need to continue to improve the service to reduce costs, improve the operations capabilities of the service as it grows,
From LE:
Staffing is our dominant cost. We currently have eight full time employees, plus two full time staff that are employed by other entities (Mozilla and EFF). This includes five operations/sysadmin staff, three software developers, one communications and fundraising person, and an executive director.
>Thousands of companies and developers use letsencrypt, a lot of potential man power to help if you ask me. You could easily cut costs 5-6 times. Or am i missing something here?
You are missing alot... this is not an open source project that anyone other than an existing CA can consume and hit the ground running. If any other major CA decided to consume Boulder, and offer it as a service, they could eat LE for lunch, but for anyone else, they need a massive investment in the logistics of becoming a CA.
Over and above that, LE is a team run on a shoestring, and yet they are building out infrastructure that is likely to be highly targeted by a broad range of attackers. Wether it's DoS, folks trying to get mis-issued certs, or a number of other objectives, that they are running and keeping the service up with that few people and that little money is an impressive feat.
CACert tried this but failed at fulfilling the requirements to be included in the important browsers. I guess it's easier to trust a company with a CEO and somewhat trustworthy employees than a group of developers that can come and go at any time.
Though their stats page[0] appears to be broken, last I heard they had surpassed 5 million certificates. To meet their current funding goal of $200k for a month, that equates to $0.04 per certificate per month, or $0.48 per certificate per year!
EDIT: Their stats page is back. Looks like they have reached 10 million certificates. So halve the above numbers!
[0] https://letsencrypt.org/stats/