Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Let’s Encrypt Issues First Live Digital Certificate

Open certificate authority (CA) Let’s Encrypt this week announced the release of its first free digital certificate, taking the world one step closer to making HTTPS implementations easy and free for domain owners.

Open certificate authority (CA) Let’s Encrypt this week announced the release of its first free digital certificate, taking the world one step closer to making HTTPS implementations easy and free for domain owners.

According to the authority, the newly released certificate is fully functional for all clients with the Internet Security Research Group (ISRG) root in their trust store, despite the fact that Let’s Encrypt’s cross signature will be in place only about one month from now. As soon as that happens, the certificates will work wherever the root propagates. The organization said that it submitted initial applications to the root programs for Mozilla, Google, Microsoft, and Apple on Monday.

The Let’s Encrypt initiative was proposed by the Electronic Frontier Foundation (EFF), but others have already joined forces with it, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, among others. Earlier this year, the Linux Foundation said it would host Let’s Encrypt to support a more secure Internet.

The goal is to encrypt websites and to serve them over Transport Layer Security (TLS), thus protecting user’s data from eavesdroppers. Let’s Encrypt aims at automating the process of obtaining security certificates so that website owners can easily obtain certificates.

“No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment,” the organization explains on its website.

“We’re thrilled to finally be a live CA. We’ll be working towards general availability over the next couple of months by issuing certificates to domains participating in our beta program,” Josh Aas, ISRG Executive Director, notes in a blog post

Ultimately, Let’s Encrypt should reduce the issues that prevent us from encrypting the web through having certificates automatically signed and through eliminating the fees associated with the process but won’t try to replace traditional certificate authorities. 

Advertisement. Scroll to continue reading.

However, there are those who believe that it would fail, and David Holmes has already explained why it might not make the Internet more trustworthy in a recent SecurityWeek column.

Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, however, believes that it will improve privacy and authentication online and that it will “increase the use of encryption across more of the web with free digital certificates, especially for small business and non-profits.”

“Let’s Encrypt joins CloudFlare in offering certificates at no cost. This is just one more step we’re seeing to improve privacy and authentication online. In the wake of the OPM breach, the US Federal Government will require agencies to use digital certificates and HTTPS on public websites by end of 2016. For all of us as customers, business partners, citizens, and employees, these are all great steps ahead,” Kevin Bocek said.

He also admits that the existence of a larger number of certificates and of more encryption involves new risks, as cybercriminals too will try to use a larger number of certificates to keep up, just as it has happened with the free certificates issued by CloudFlare. The use of more certificates in cyber-attacks will make it more difficult to decide who to trust.

“Second, the use of more encryption is creating more blind spots for threat protection systems. Gartner expects 50% of all network attacks to use SSL/TLS by 2017, but a scant few have deployed security controls like NGFW, IPS/IDS, behavioral analytics, network forensics and more, to look inside of encrypted traffic,” Bocek continues.

More and more cybercriminals are using certificates to appear trusted and to hide their actions inside encrypted traffic. Thus, Bocek says, the purpose of adding more encryption is countered and there is little chance that more free certificates could result in a more trustworthy Internet. Furthermore, Let’s Encrypt could make it more difficult to secure the enterprise, especially with large businesses using thousands of certificates. 

“We already see in large enterprises, up to a dozen or more certificates authorities (CAs) in use. Policy may say use one CA, but you’ll see everything from GoDaddy to country specific CAs. Another CA in use on the network adds more complexity and confusion for enterprises – what’s really trusted and who is in control? And, it makes it more difficult to get keys to security systems to decrypt traffic to detect threats that might be hiding. And, it makes it more challenging to respond to a CA compromise and develop a plan such as that suggested by NIST,” Bocek concludes.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).