Certificate Changes

#1

Question: is it right that today certificate changed from COMODO to Let’s Encrypt? On a 3-month period? Is this related to the blog article?
I’m not a security expert, but I think it’s interesting because this has some implications: No verification any more that runbox is runbox (registered Company); no dependency from some certificate company; possible down-time together with lots of sites if Let’s Encrypt is down)

Changes to TLS encryption security
#2

Hello. I’ve separated off your post as it isn’t related to the TLS changes we are making next month.

Yes, for some of our websites we are now using Let’s Encrypt. However, websites that previously had an Extended Validation certificate that provides proof that 'Runbox is Runbox" will continue to have that.

#3

You mean: “some of our websites [and IMAP]”?

#4

Ah, OK, I see, the former IMAP certificate didn’t have an organisation name, so it isn’t validated that way. Wasn’t aware of that. [Sorry for potential cross-reply]

#5

That’s right. We decided to switch to Let’s Encrypt where we could because it is an initiative that we have wanted to support for quite some time. It is a cost effective way of encouraging more people/organisations to secure their Internet services and therefore provide greater security and privacy.

#6

Hi Dave, is this page now up to date with the latest imap ssl key?
https://help.runbox.com/runbox-server-certificates/

#7

Hello. Yes, the page is now up to date.

#8

I wanted to respond to this. I don’t believe LetsEncrypt certificates have a dependency on an external services/certificate. Correct me if I’m wrong, but I believe they would not be as successful as they have been if they designed it with this single-point-of-failure.

I’ve been using LetsEncrypt certificates on my dozens of web servers for a couple of years now with great success. Never any downtime as a result of any external services.