AlwaysOnSSL – A free and automated CA

The lack of an obvious revenue source feels like the business equivalent of a code smell. Let&#x27;s Encrypt is clearly being run as a charity - with a list of sponsors that are paying for this.<p>No obvious revenue stream feels like it&#x27;s a recipe for something that&#x27;s going to go poof rather quickly.

This is a tragically insecure site already; the only thing keeping JS injection at bay is apparently regex matching for `script` in the id-verify page.<p>Note: it does not filter for SCRIPT. e.g.: <a href="https:&#x2F;&#x2F;alwaysonssl.com&#x2F;id-verify&#x2F;%3Ch1%3E%27%27%3B%21--%22%3CSCRIPT%3Ealert(%22lol%20what%22);%3C&#x2F;SCRIPT%3E%3D%26%7B%28%29%7D" rel="nofollow">https:&#x2F;&#x2F;alwaysonssl.com&#x2F;id-verify&#x2F;%3Ch1%3E%27%27%3B%21--%22%...</a>

&gt; We do not support ECC (Elliptic Curve Cryptography) at this time; but we work hard! We also do not support RSA keys &gt;2048 bit.<p>Hrm.

Interesting... This is the email I got when I requested an S&#x2F;MIME - Symantec - seriously?:<p>Dear customer,<p>Your order request for Symantec Digital ID for Secure Email(S&#x2F;MIME Class 1) for the email address christian@perspecta.ca is received.<p>You need to approve or reject the request using following URL:<p><a href="https:&#x2F;&#x2F;alwaysonssl.com&#x2F;id-verify&#x2F;GX5aT6H2vG8s-Td2CLOBBEREDCLOBBEREDRGnhhU_brYg7Lva-GPu2weViJk" rel="nofollow">https:&#x2F;&#x2F;alwaysonssl.com&#x2F;id-verify&#x2F;GX5aT6H2vG8s-Td2CLOBBEREDC...</a><p>For any further queries please visit:- www.symantec.com<p>This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.

Just signed up. Cert is valid for 12 months and is chained from DigiCert&#x27;s CA -- same as their website

1. who&#x27;s the root CA? the website itself seems to use digicert.<p>2. what&#x27;s the validation length?

How is this different from LetsEncrypt?

Whoa, interesting. Does this differ from LetsEncrypt?

No wildcards it looks like<p>REST API is nice though

I wonder if this is related to Symantec&#x27;s Encryption Everywhere program[1]?<p>[1] <a href="https:&#x2F;&#x2F;www.symantec.com&#x2F;about&#x2F;newsroom&#x2F;press-releases&#x2F;2016&#x2F;symantec_0315_01" rel="nofollow">https:&#x2F;&#x2F;www.symantec.com&#x2F;about&#x2F;newsroom&#x2F;press-releases&#x2F;2016&#x2F;...</a>

can i trust this?

A free and automated CA goes against exactly what a CA is supposed to be: someone you can trust. If you can&#x27;t trust the CA, then you can&#x27;t trust anything related to the CA. What&#x27;s the point in having this, besides the convenience of importing their untrustworthy CA key and then using https without getting warnings? I would rather use http.