Connect with us

Hi, what are you looking for?


Network Security

Let’s Encrypt’s Public Beta–Panacea or Placebo?

In medicine, the very belief that you’re doing something to improve your medical condition has enormous efficacy. This is called the Placebo Effect. Most modern medicines can only dream of obtaining efficacy results on par with the Placebo Effect, so strong is it.

In medicine, the very belief that you’re doing something to improve your medical condition has enormous efficacy. This is called the Placebo Effect. Most modern medicines can only dream of obtaining efficacy results on par with the Placebo Effect, so strong is it.

Let’s Encrypt Not so in security. Doing something that you believe improves your condition when it actually doesn’t is truly dangerous because it sets up a false sense of security. And the result can be a decreased level of awareness.

Let’s Encrypt (LE), the open Certificate Authority (CA), entered public beta in December 2015, only slightly behind its projected schedule. Public beta means that the public at large, not just invitees, can use LE to issue themselves public key certificates.

In the first eight hours of the public beta, LE issued 10,000 certificates, or about one every three seconds. Clearly there’s demand for free certificates. The more than 500,000 certificates issued since then make LE one of the largest CAs in the world.

The demand for the free certificates from LE is coming from three sources. The first are the disgruntled customers of the existing CA industry. “As a customer, I hated my CA. I felt ripped off by the lot of them every time I had to renew my certs,” says John, a former CA industry customer who prefers to remain anonymous.

The second source of demand for LE’s free certificates are all the security-minded people who are spinning up new, low-value services on the Internet (bloggers). This group is in LE’s wheelhouse as well. The social applications are projects of love and there isn’t a lot of capital associated with them. So why protect them with an expensive extended validation certificate when they can just get a free one and go back to creating whatever it was they were creating?

Advertisement. Scroll to continue reading.

The third group is the automation camp. One of LE’s strengths is that the only way to get a certificate issued is through automation with the Automatic Certificate Management Environment (ACME) protocol. People spinning up applications with Chef, Puppet, or Ansible like the idea of fetching a “real” certificate with a single script command.

“I’m excited by the notion that ACME takes off because of LE. As IoT takes off, having free de facto things like ACME become important.” – anonymous CA industry source

Actually, there’s a fourth group as well; cyber criminals looking to provide valid certificates for rogue domains. As noted in SecurityWeek news, the first malicious sites using LE certificates were discovered shortly after the public beta started. Security researcher Ryan Hurst has pointed out that abusing certificate authorities is not a new phenomenon, so let’s accept that LE isn’t alone in this respect.

Unlike other CAs that issue certificates that don’t expire for years, LE is issuing short-lived certificates (90 days). All certificates are being published to the Certificate Transparency (CT) project, and you can see them at the site.

Yes, you see that right. They are all going to expire on March 8th.

Mass Certificate Expiration

This mass expiration could be worrisome. Sometime between now and March 8th, each of the 100,000 websites will need to renew their LE certificates. If 15% of those website operators forget to do it or lose interest in their little love project, then on March 8th, 15,000 sites will have expired certificates. Suppose that happens every quarter. After a couple of years there will be over 100,000 websites with expired LE certificates.

Users are going to be running into expired certificate warnings all over the place. After a while they are going to just start clicking through them. Expired certificate warnings will be the new car alarms—people hear them all the time, but no one does anything except ignore them. Certificate expiration warnings may lose efficacy.

And that brings us back to the placebo effect. LE is supposed to increase overall Internet security by increasing the number of websites that have the ability to use HTTPS instead of HTTP. But right now, during the public beta, it may simply be that people believe it will work. Belief works for medicine, but not for security. One way or the other, we’ll know soon.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...