Last week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.
Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These certificates are integral to the encryption used by HTTPS websites.
HTTPS is HTTP that uses the Transport Layer Security (TLS) protocol for privacy and authentication. Your browser uses it to be confident that you’re not visiting an evil website that’s impersonating your real destination using a DNS spoofing attack. It also encrypts the information passing between your browser and the web server so that someone who can snoop on your traffic still can’t tell what you’re doing.
Netscape created HTTPS in 1994, but in 2014 a minority of websites used it. That’s because it could be technically difficult to implement, it was time consuming and it cost money. There was too much friction. That’s what Let’s Encrypt set out to change.
The project is a non-profit effort from the Internet Security Research Group (ISRG), an organisation sponsored by a mixture of privacy advocates and those who benefit from making the online ecosystem healthier. The Electronic Frontier Foundation (EFF) is a sponsor, along with Cisco, Facebook, Google, the Internet Society (which houses the Internet Engineering Task Force or IETF), Mozilla, and French cloud service provider OVH.
The project issues free certificates, keeping them valid for 90 days before forcing people to renew. It isn’t just the free nature of these certificates that has helped them flood the internet. The other key to the puzzle is automation. Let’s Encrypt created a protocol called Automated Certificate Management Environment (ACME). This is a challenge-response system that automates enrolment with the certificate authority and validation of the domain.
Version two of ACME became a proposed internet standard in May 2019 (did we mention that the IETF’s parent organization is a sponsor?) giving it more credence still. There are various ACME clients, and some have been baked directly into default Linux server distributions, enabling Apache and nginx web servers to run automatic scripts to handle the whole process.
Let’s Encrypt’s approach isn’t perfect. For one thing, it only offers domain validation that checks a person is in control of a domain, rather than extended validation certificates that go the extra mile to validate the legal name of the owner. This has led to some problems, such as Let’s Encrypt’s automatic validation of PayPal phishing sites.
This isn’t a mistake – it’s simply that the organization’s goal is to encrypt as many websites as possible rather than investigate their content, which it prefers to leave to others like Google. Eagle-eyed readers of today’s other stories will spot that the certificate issued on the Stripe phishing scam domain was also from Let’s Encrypt.
Thanks to this flood of free certificates, the web is a lot more encrypted than it was a few years ago. In June 2017, 58% of webpage loads were delivered over HTTPS, the project stated, adding that the number has grown to 81% today. That’s due in large part to free and automated certificate provisioning, but also to a firmer hand by web browser developers. Mozilla now shames any web pages that don’t use HTTPS, while Google removes the ‘secure’ label for HTTP-only sites and gives them a lower search ranking than HTTPS ones.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.