Let's Encrypt Is Ending Expiration Notice Emails (arstechnica.com) 6
Let's Encrypt will stop sending expiration notice emails for its free HTTPS certificates starting June 4, 2025. From the report: Let's Encrypt is ending automated emails for four stated reasons, and all of them are pretty sensible. For one thing, lots of customers have been able to automate their certificate renewal. For another, providing the expiration notices costs "tens of thousands of dollars per year" and adds complexity to the nonprofit's infrastructure as they are looking to add new and more useful services.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
If those were not enough, there is this particularly notable reason: "Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us." Let's Encrypt recommends using Red Sift Certificates Lite to monitor certificate expirations, a service that is free for up to 250 certificates. The service also points to other options, including Datadog SSL monitoring and TrackSSL.
Yeah anybody using letsencrypt got the notice (Score:3)
Yeah anybody using letsencrypt got the notice already!
I couldn't care less because any sane cronjob will send you an email for failed renewals.
Apart from reducing load on their infrastructure, they are probably doing it to avoid their outgoing SMTP servers to get on DNS based blacklists since sending emails is really a negligible load on our own infrastructure.
That being said, we avoid sending emails as much as possible unless really required. For example, the "out in vacation" automatic replies some organizations send is a good way to get on blacklists since they can be be used in amplification attacks.
Amplification attack? (Score:3)
How can a vacation auto-responder be used for an amplification attack? Any good one will reply to at most one sender, and it won't reply to that same sender for a few days to a week. And of course you should never auto-respond to anything that fails SPF or DKIM or looks otherwise dodgy, or is itself an automated message.
But yeah, sending mail, especially large volumes of automated mail, is a pain.
Re: (Score:2)
Yeah, this probably could be done right but we just redirect the mail to people in vacation to somebody else so a human replies thus eliminating all use case risks.
Gated community mentality is not reassuring (Score:3)
From the RedSift.com web site:
To find out why Let's Encrypt has endorsed Red Sift, sign up for an exclusive discussion with the Executive Director of Let's Encrypt, Josh Aas, and CEO and Co-Founder of Red Sift, Rahul Powar.
Translation: Since Let's Encrypt values your privacy, they (for whatever reason) recommend you use a 3rd-party notification service that won't post any information publicly, so you have to create an account to know what you're getting yourself into.
I hate the modern Internet.