Ask HN: How can sending emails cost Let's Encrypt five figures?

7 comments

• gnabgib 2 days ago
  Let's Encrypt generates ~7M certs/day[0], a cert is only good for 90 days (~a quarter) so let's use 90 days as a window.

    7M/day * 90 = 620M/quarter
  

  So that's ~2.5B certs issued per year (knowing that these are often reissues, but you get the notification each time you approach the expiry).

  Assuming only one message (not what happens, you get more than one notice.. especially if you let it expire, you get at least two follow up messages) per cert:

    2.5B * $.1/1000 = $250K/yr
  

  Some users don't provide email addresses, some don't provide valid ones (doesn't mean their infra doesn't have to try to contact, at least for the first expiry), some use a renewal script that renews before the email (9 days prior to expiry I think?), some don't care to renew (I'm sure LE is used in throw away cases where they don't care to renew, but the 3+ emails were still dutifully sent).

  But for 1 email per issued cert it's > $20k/month to send these messages with SES pricing.

  There's also the TLS validity halving (well.. 90 days -> 47 days) looming, which in some way helps with the revocation servers, but would also double their (former) email costs. And then there's future proposals that would half or ever quarter that lifetime again (once again multiplying their email costs). At some point LE would just be an Amazon SES support system (like DVD-Netflix was for postal services).

  [0]: https://letsencrypt.org/stats/

  [-]
  • mike-cardwell 12 hours ago
    > 2.5B * $.1/1000 = $250K/yr

    Lets Encrypt doesn't send an email for every certificate that expires.

    > especially if you let it expire

    All certificates expire.
  • rrr_oh_man 2 days ago
    > some use a renewal script that renews before the email

    I'd like to challenge the "some" part. How many of those ~600M currently issued certs realistically don't get auto-renewed 30 days before expiration, except when it's one-off dev sites or legacy stuff? Last time I touched certbot that was the default I think (so I've never received a renewal email).

    edit: It sounds more like they've been getting fleeced by Mailchimp for tx email...
• codegeek 2 days ago
  You are only thinking of technology costs. What about Human cost to manage that email infrastructure ? Emails and their deliverability btw are always lot more work than you may think. I am not at all surprised that it costs them 10s and 1000s per year.
• toast0 2 days ago
  I maintained email servers as part of my job; mainly just getting inbound customer service emails, sending some auto-responses, and forwarding into a queue system. If I were working full time, I'd be getting at least $200k salary, probably ~ $300k employer cost with employer paid tax and insurance. Assuming the mail servers don't cost anything, $20k is ~ 6.6% of that, which is a little less than 11 hours a month. I could see mail taking that much time, especially if you look into reports of missing email. If you price in equipment, the hours available to tend the servers is even less.
• Magma7404 2 days ago
  I guess the volume is irrelevant. In other industries it would be the reliable automation and full security that cost a lot.
• is_true 2 days ago
  I guess the alternative could've been exchanging the service for an ad.

  Letting the sender service include a little ad in the notificaton.
• brudgers 2 days ago
  Doing things right costs much more than doing things that are probably good enough.

  Or to put it another way, on the back of a napkin expect the last 20% to cost 4x the first 80%. Or to put it another another way, 80% of Excel is not 80% of Excel if you get my point. Good luck.
• redwoodsec 2 days ago
  [dead]