An initiative to encourage more websites to encrypt connections by offering free digital certificates has today exited beta, six months on from the initial launch — the idea behind Let’s Encrypt being to lend an automated hand to smaller websites that might not have the resources to go about achieving public-key certification on their own.
In the six months since the initiative got up and running Mozilla, one of the organizations backing the push — which are gathered under the umbrella moniker of the Internet Security Research Group (ISRG) — says it has issued more than 1.7 million certificates, helping shift some 2.4 million domain names onto secure HTTPS connections. WordPress being a recent addition.
And while millions more encrypted connections sounds like progress, in reality it’s rather a drop in the ocean of unsecured online content — with only a minority (40 per cent) of page views encrypted as of December 2015, according to Mozilla, and just 65 per cent of online transactions using the secure Internet protocol HTTPS.
“A mix of people and organizations use Let’s Encrypt. Many individuals and smaller entities use it, but quite a few larger organizations such as WordPress.com, OVH, Akamai and Dreamhost use it as well. It’s especially nice to see services like Dreamhost and Automattic opting to secure all their customers at once, which is something that Let’s Encrypt really enables,” says Mozilla.
“We know that Let’s Encrypt certificates are especially appealing to organizations who have so far found it too inconvenient or expensive to get a certificate. That’s why 90% of the certificates that are being issued are to domains that have never had them before.”
Alongside Mozilla, other organizations involved in the ISRG include Cisco, Akamai, the Electronic Frontier Foundation and IdenTrust. The group also lists a raft of sponsors on its website, including Chrome and Facebook.
As well as the obvious privacy risks to user data from unsecured web connections, from hackers or other types of snoopers, Google has also said it intends to flag unsecured connections in its popular Chrome browser — thereby potentially discouraging users from surfing to non-HTTPS websites in the first place, and providing a self-interested incentive to shift websites onto secure connections.
While Let’s Encrypt has the clear(ly worthy) goal of helping lock down more Internet connections, the free system has itself not been immune to abuse — as noted by security firm Trend Micro, which earlier this year found malvertisers had used a ‘domain shadowing’ technique to insert a redirect to a site hosting a banking trojan by creating a subdomain under a domain certified using Let’s Encrypt.
“Any technology that is meant for good can be abused by cybercriminals, and digital certificates like those of Let’s Encrypt’s is no exception, noted Trend Micro. “A certificate authority that automatically issues certificates specific to these subdomains may inadvertently help cybercriminals, all with the domain owner being unaware of the problem and unable to prevent it.”
“Users should also be aware that a “secure” site is not necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited,” Trend Micro added.