Let’s face it: it’s hard to compete with free. The Let’s Encrypt initiative has been around for some time now as part of essentially all of Silicon Valley’s mission to make the web a more secure place through the use of the secure sockets layer protocol, which is a system that relies on certificate authorities vetting the validity of a data.
SSL is fundamental to certain types of web transactions, but over the years it has become more and more evident that no part of the open web should not be using it, as attackers have grown increasingly sophisticated at attacking both ends of the transmission when SSL is not in use. Let’s Encrypt has made it dead simple for even the newest systems administrators to implement SSL by releasing easily automated software that allows the certificate to be generated from within the server itself, saving time for those who have many sites to manage.
On the other hand, Comodo Group, Inc. has been in the web security game since 1998, and has amassed a large business on it. The company was the largest issuer of SSL certificates as of February last year, according to Wikipedia, and is still used by many larger corporations. Of course, small organizations have always had other options when they did not want to pay the fee for a certificate – there is StartSSL, which offers free certification for non-profits and other small outfits, and then there was always the option of a self-signed certificate. However, this last option is not really an option at all, since many browsers have long not been friendly with them.
In a recent blog post, Let’s Encrypt lamented that Comodo was attacking them through the use of the American intellectual property system. Specifically, Comodo is vying for “at least three” trademark applications that include the term “Let’s Encrypt.” If successful, this could have serious implications on the Let’s Encrypt initiative, most notably that they would be forced to change their name, creating confusion amongst browser developers, users, and, perhaps most importantly, systems administrators. From a security perspective, the resulting chaos could lead to confusion among web surfers, and open the way for bad actors to use false certificates.
A user on the Comodo forum saw to it that they were taken to task, crying for shame on them:
Do you really need this, Comodo? Stealing brand someone else made up?
In an uncharacteristic move for larger tech companies, Comodo’s CEO Melih Old responded directly:
How can you prove it was them who made it up? […] Isn’t this why we have Trademark laws and courts? […] When Lets Encrypt copied Comodo’s 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo’s 90 day Free SSL model that we established in the market place for over 9 years!!!
We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical.
They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that’s why they created exactly same 90 day free ssl offering. So why did they choose 90 day????? That is the question!
The last bit is the most interesting thing about the CEO’s response because one of the features of Let’s Encrypt is that it requires the certificates to be renewed every 90 days. While this can be automated, many companies are okay with a certificate lasting 6 months, or a year, or even longer in some cases. A certificate issued to a company like, for instance, Facebook, might be trusted for longer by all parties involved. This does not mean it’s the best practice, and Let’s Encrypt makes clear that their decision is based on security best practices, saying here:
- They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
- They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenience than longer ones.
More to the point, Let’s Encrypt is not intending to make build a business around issuing certificates. The initiative is sponsored by industry heavyweights such as Cisco, Facebook, Shopify, and other deep-pocketed companies that have no need to make money on a venture such as this. The end goal is a more secure web, not a bottom line. This makes Old’s argument all the more suspect, if not misinformed. But Old does not stop there. He goes on to double-down on this claim as a response to the above-mentioned Let’s Encrypt blog post, stating:
so whose certs are these? Of course Comodo’s!!! So they are admitting they are copying our innovation of 90 day free ssl certs!
In a later post, Comodo employee Robin Alden made clear that Comodo would not make a long fight of this. The employee said:
Josh posted a link to the application and as of February 8th it was already in a state where it will lapse. […] Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse. […] We have now communicated this to LE.
LE presumably stands for Let’s Encrypt. However, this claim makes little sense, since Let’s Encrypt was already issuing certificates when Comodo filed its claims. Either way, if the trademark applications do collapse, then Let’s Encrypt will not have a long and drawn-out battle to deal with in order to retain the right to use two pretty common words, in conjunction, as its name.
It seems that the pace of technology is such that to truly remain profitable, a company must continually find new ways to attract money, because things become free over time. A good example of this would be how web mail now almost universally has replaced mail by Internet service providers, and now it seems that free alternatives to certificate authorities will become the norm in the coming decades, as well.