By default, the web is not secure, enabling data to travel in the clear, but that’s a situation that is easily corrected through the use of SSL/TLS. A challenge with implementing Secure Sockets Layer/Transport Layer Security has been the cost to acquire an SSL/TSL certificate from a known Certificate Authority (CA), but that has changed in 2016, thanks to the efforts of Let’s Encrypt.
Let’s Encrypt is a non-profit effort that that was was announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. Let’s Encrypt exited its beta period in April 2016 and to date has provided more than 5 million free certificates.
In a video interview with eWEEK, Josh Aas, executive director of the Internet Security Research Group and leader of Let’s Encrypt, discusses the technology and security considerations behind the initiative.
All of the code that enables Let’s Encrypt to provide free certificates is open-source. Additionally, Let’s Encrypt uses its own hardware, rather than ephemeral cloud servers in order to provide security. From a resiliency perspective, Let’s Encrypt benefits from the Akamai Content Delivery Network (CDN) to make sure that certificate status checks via OCSP (Online Certificate Status Protocol) are highly available.
A key enabler for Let’s Encrypt’s ability to scale is the project’s widespread use of automation tools.
“We have been able to scale really well. It’s not actually resource-intensive in terms of CPUs to run this [Let’s Encrypt]; it’s more resource-intensive in terms of uptime and security,” Aas said.
One criticism that Let’s Encrypt has faced is that while it is making SSL/TLS certificates freely available to help secure the web, the service can also be abused by those with malicious intent. Aas commented that it’s an unfortunate truth that any technology that is made available for good security purposes could also be used for bad aims.
“For us to determine who is a phishing site is very difficult, and it’s a really hard problem,” Aas said.
Aas suggests that individuals report potential phishing sites via Google Safe Browsing, which, he said, is an effective approach to finding and blocking malware sites. Let’s Encrypt should not be in the business of policing websites for content and simply revoking certificates isn’t enough, he added. That said, Let’s Encrypt’s certificates have a 90-day term before needing to be renewed and as such a potentially mis-issued certificate would only have a limited lifespan.
“Our goal is to get certificates to everyone on the web,” Aas said.
It’s a mission that Let’s Encrypt is already making some headway toward. Aas noted that when Let’s Encrypt first began issuing certificates in December 2015, approximately 39.5 percent of page loads on the internet were encrypted. By August 2016, the number of encrypted page loads on the internet grew to approximately 46 percent.
“That’s a lot of data that got secured,” Aas said.
While Let’s Encrypt certificates are not responsible for the entire gain in encrypted web traffic, Aas is confident that Let’s Encrypt is having an impact. The certificates that Let’s Encrypt is granting are going to organizations that previously did not have SSL/TLS certificates from commercial vendors, he said.
“Well over 90 percent of the certificates we have issued have gone to people that didn’t have certificates before,” he said.
Watch the full video with Josh Aas below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.