W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Preparing to Publish HTTPS Finding

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 30 Dec 2014 20:07:55 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Chris Palmer <palmer@google.com>, Daniel Appelquist <appelquist@gmail.com>, TAG List <www-tag@w3.org>, Ian Jacobs <ij@w3.org>
Message-Id: <20141230200755.5615e4b46b682edb8fc70170@bisonsystems.net>
Anne van Kesteren wrote:
>
> Melvin Carvalho wrote:
>
> > So what's the cost of a wildcard SSL certificate (someone quoted
> > $100 in a previous)?  Is it affordable?
> 
> I'm not sure why a wildcard certificate is the benchmark, but you can
> get unlimited wildcard certificates that last two years for personal
> use for a yearly verification fee of USD 60 with StartSSL.
> 
> It's unclear whether Let's Encrypt will issue wildcard certificates,
> but they will undoubtedly cover subdomains and since it's a protocol
> that essentially comes down to the same thing, unless you reallly need
> a wildcard subdomain for some kind of service. And that's completely
> free.
> 

Or maybe I just want to shard my domain between dynamic and static
content, like by using img.example.com? Please don't tell me that all I
need to do in order to survive in your utopia, is not shard my domains
so I can get a cheap/free TLS certs (let alone from dubious providers).

>
> Per https://blog.cloudflare.com/introducing-universal-ssl/ CloudFlare
> also offers wildcard certificates for free.
> 

In exchange for agreeing to a TOS that's so odious, mentioning it as a
viable solution on this list is, at best, deflection of whatever issue
led to it.

>
> Getting access to a certificate is not the problem. Ease of use is.
> Mixed Content, HSTS, renewing certificates, etc. all pose additional
> challenges to developers.
>

Which can also be read as additional costs, the rebuttal to which
really needs to stop being CloudFlare. Again, read their TOS. You can't
respond to the legitimate concerns of developers by telling us to just
sign over our firstborn in order to play ball on your field.

-Eric
Received on Wednesday, 31 December 2014 03:08:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC