Buypass Discontinues Issuance of Tls/ssl Certificates
Posted4 months agoActive4 months ago
buypass.comTechstory
calmmixed
Debate
60/100
Tls/ssl CertificatesLet's EncryptCertificate Authorities
Key topics
Tls/ssl Certificates
Let's Encrypt
Certificate Authorities
Buypass is discontinuing its TLS/SSL certificate issuance, sparking discussion on the impact of Let's Encrypt on the certificate authority market and the potential for a de facto monopoly.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
2h
Peak period
45
0-6h
Avg / period
14.8
Comment distribution59 data points
Loading chart...
Based on 59 loaded comments
Key moments
- 01Story posted
Aug 25, 2025 at 2:28 AM EDT
4 months ago
Step 01 - 02First comment
Aug 25, 2025 at 4:35 AM EDT
2h after posting
Step 02 - 03Peak activity
45 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 28, 2025 at 7:49 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45010846Type: storyLast synced: 11/20/2025, 6:36:47 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
Mid-term, it'll reduce the risk of noncompliance, as large customers can no longer demand that you delay revocation. CAs no longer have to fear customers switching to their competition.
Long-term, it'll reduce their operating cost, as it is no longer necessary to handhold customers through the certification issuance and installation process. You just give them a URL, id, and key to enter a single time, and it should Just Work.
The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV. Tell the politicians that "everyone can get a basic cert these days", and that the really important stuff (like banking, hospitals, power grids) should be forced to buy EV certs.
It doesn't matter how far you reduce your operating cost, if your revenue falls to zero.
> The revenue loss of small customers can be compensated by regulatory capture and price hikes for EV.
Hah, that's a good one.
Sure, google.com and microsoft.com and amazon.com and godaddy.com and letsencrypt.org and facebook.com and twitter.com and cloudflare.com and coinbase.com and and visa.com and entrust.com don't need EV certificates... but you do.
Google removed all the verification markers from chrome in September 2019 - because they investigated them and nobody understands a green box means verification.
Yes, the obvious answer is: make the verification UI look like every other verification UI, but they didn’t did test that. The chrome team, specially ryan sleevi, thinks regular people should understand DNS. You know - apple.com.store/ipad isn’t Apple, and that withgoogle.com is actually Google.
See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698936, https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
While I agree there are an astonishing number of CAs listed, it seems to me there's no representation of website operators, or website users.
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
* https://github.com/SSLMate/certspotter
* https://certificate.transparency.dev/monitors/
Maybe <5% of devops are checking in reality (and this is very generous); even if they watch it is very difficult to spot since the CA is the same, and short-lived certificates (so very normal that they renew).
crt.sh is even answering 502 Bad Gateway, though it's supposed to be the most used tool to check CT logs in the world.
So maybe, true for few paranoid geeks who usually don't have any information of interest anyway, but not for the 99% others.
The big websites are openly sharing data to govs, so they are backdoored by definition, and they don't need to justify anything.
And the whole _point_ of the cert transparency log is that it only take _one_ such instance to ruin the credibility of a CA.
The fact that you do that in the public, and that it is _forever_, make it very hard to do in the shadows.
They discovered that because they were monitoring the CT logs. And they were concerned about trademark issues. It ended up being one of the teams in "company-xyz" that had opened an account (under the company name, of course).
But that is just a small note that people _are_ monitoring those.
That’s does not mean they wouldn’t shut it down.
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer. Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox? I'm genuinely asking.
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
But yeah, Safari is always something i have trouble finding the cert, they are really hiding it.
That's how someone got an EV cert for Stripe (USA).
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
Yes. A green address bar isn't meaningful verification UI. That is why no other platform uses green bars for verification.
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
> Buypass AS has a new owner. Total Specific Solutions (TSS) took over ownership with effect from October 16, 2024.
[0]: https://www.buypass.com/news/change-of-ownership-in-buypass-...