Open certificate authority (CA) Let’s Encrypt this week announced the release of its first free digital certificate, taking the world one step closer to making HTTPS implementations easy and free for domain owners.
According to the authority, the newly released certificate is fully functional for all clients with the Internet Security Research Group (ISRG) root in their trust store, despite the fact that Let’s Encrypt’s cross signature will be in place only about one month from now. As soon as that happens, the certificates will work wherever the root propagates. The organization said that it submitted initial applications to the root programs for Mozilla, Google, Microsoft, and Apple on Monday.
The Let’s Encrypt initiative was proposed by the Electronic Frontier Foundation (EFF), but others have already joined forces with it, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, among others. Earlier this year, the Linux Foundation said it would host Let’s Encrypt to support a more secure Internet.
The goal is to encrypt websites and to serve them over Transport Layer Security (TLS), thus protecting user’s data from eavesdroppers. Let’s Encrypt aims at automating the process of obtaining security certificates so that website owners can easily obtain certificates.
“No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment,” the organization explains on its website.
“We’re thrilled to finally be a live CA. We’ll be working towards general availability over the next couple of months by issuing certificates to domains participating in our beta program,” Josh Aas, ISRG Executive Director, notes in a blog post.
Ultimately, Let’s Encrypt should reduce the issues that prevent us from encrypting the web through having certificates automatically signed and through eliminating the fees associated with the process but won’t try to replace traditional certificate authorities.
However, there are those who believe that it would fail, and David Holmes has already explained why it might not make the Internet more trustworthy in a recent SecurityWeek column.
Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, however, believes that it will improve privacy and authentication online and that it will “increase the use of encryption across more of the web with free digital certificates, especially for small business and non-profits.”
“Let’s Encrypt joins CloudFlare in offering certificates at no cost. This is just one more step we’re seeing to improve privacy and authentication online. In the wake of the OPM breach, the US Federal Government will require agencies to use digital certificates and HTTPS on public websites by end of 2016. For all of us as customers, business partners, citizens, and employees, these are all great steps ahead,” Kevin Bocek said.
He also admits that the existence of a larger number of certificates and of more encryption involves new risks, as cybercriminals too will try to use a larger number of certificates to keep up, just as it has happened with the free certificates issued by CloudFlare. The use of more certificates in cyber-attacks will make it more difficult to decide who to trust.
“Second, the use of more encryption is creating more blind spots for threat protection systems. Gartner expects 50% of all network attacks to use SSL/TLS by 2017, but a scant few have deployed security controls like NGFW, IPS/IDS, behavioral analytics, network forensics and more, to look inside of encrypted traffic,” Bocek continues.
More and more cybercriminals are using certificates to appear trusted and to hide their actions inside encrypted traffic. Thus, Bocek says, the purpose of adding more encryption is countered and there is little chance that more free certificates could result in a more trustworthy Internet. Furthermore, Let’s Encrypt could make it more difficult to secure the enterprise, especially with large businesses using thousands of certificates.
“We already see in large enterprises, up to a dozen or more certificates authorities (CAs) in use. Policy may say use one CA, but you’ll see everything from GoDaddy to country specific CAs. Another CA in use on the network adds more complexity and confusion for enterprises – what’s really trusted and who is in control? And, it makes it more difficult to get keys to security systems to decrypt traffic to detect threats that might be hiding. And, it makes it more challenging to respond to a CA compromise and develop a plan such as that suggested by NIST,” Bocek concludes.
