> Why do all the other CAs cost so much and take so long when the actual cert is generated in seconds?
I guess "so much" should be put in perspective: Domain Validation certificates, like the ones Let's Encrypt issue, are not really expensive - resellers typically offer them for something like $10/year. The more expensive certificates - OV and EV - involve some degree of manual verification of the information on the certificate (such as the company name). That's a large part of the cost.
But yeah, commercial CAs are (were?) money printing machines. Running Let's Encrypt costs about $3M/year, and they support >20M active certificates. Commercial CAs are going to have some marketing and support expenses, but the rest would be profit.
> Isn't that how it's supposed to work and LE is breaking the rules, thus living on borrowed time?
All CAs (should) follow the same set of rules - the Baseline Requirements. Let's Encrypt has had a pretty good track record so far - definitely better than some of the big commercial CAs like Symantec or Comodo.
> If it was possible to be so easy why no else did it? What is the secret ingredient?
To be fair, they were not the first free CA - both StartSSL and WoSign offered free DV certificates (for non-commercial usage). Not the best examples, I suppose.
Cloudflare offered free SSL (via Comodo) for their customers as well, as does cPanel via AutoSSL It's definitely viable, just took some time for people to care enough about encrypting the web to make it happen.
I guess "so much" should be put in perspective: Domain Validation certificates, like the ones Let's Encrypt issue, are not really expensive - resellers typically offer them for something like $10/year. The more expensive certificates - OV and EV - involve some degree of manual verification of the information on the certificate (such as the company name). That's a large part of the cost.
But yeah, commercial CAs are (were?) money printing machines. Running Let's Encrypt costs about $3M/year, and they support >20M active certificates. Commercial CAs are going to have some marketing and support expenses, but the rest would be profit.
> Isn't that how it's supposed to work and LE is breaking the rules, thus living on borrowed time?
All CAs (should) follow the same set of rules - the Baseline Requirements. Let's Encrypt has had a pretty good track record so far - definitely better than some of the big commercial CAs like Symantec or Comodo.
> If it was possible to be so easy why no else did it? What is the secret ingredient?
To be fair, they were not the first free CA - both StartSSL and WoSign offered free DV certificates (for non-commercial usage). Not the best examples, I suppose.
Cloudflare offered free SSL (via Comodo) for their customers as well, as does cPanel via AutoSSL It's definitely viable, just took some time for people to care enough about encrypting the web to make it happen.