Machine identities are vital when it comes to securing the web. TLS certificates are one of the most common types of machine identities. They’re used to verify that a machine, such as a web server, is authentic when it creates an encrypted data transmission session with an endpoint, such as your PC or phone through your web browser. The predecessor to Transport Layer Security (TLS), Secure Sockets Layer (SSL), was depreciated by the Internet Engineering Task Force in 2015. TLS is not only used to secure the web, but also email, Voice over Internet Protocol, and several other internet services. But for now, I’m going to focus on the web.
HTTPS is the encrypted web protocol. It originally used SSL technology, but now it uses TLS. I remember using the web in the 1990s, Mosaic was my first web browser. In the 1990s, you’d pretty much only see HTTPS in your web browser’s address bar when you’re transmitting sensitive financial information, such as when you enter your credit card information for online retail or accessing your online banking. Today, it’s well understood that as much of the web should be encrypted as possible. Man-in-the-middle attacks on any of your web traffic could put your endpoints and the servers you’re connected to at risk, even when the data is relatively innocuous.
Google has played an instrumental role in encouraging the use of HTTPS instead of HTTP (cleartext web). When Chrome 68 was released in July 2018, all HTTP webpages started to be marked as “not secure” in the web browser. Plus, as Google has a majority stake in web search, they used their power to rank HTTP webpages lower than HTTPS webpages. The incentive to deploy all of your webpages and web apps through HTTPS is clear, even if you don’t care about cybersecurity. You don’t want web browsers to tell your users that your content isn’t secure, and you want your webpages to rank as high in Google Search as possible!
So, Google played a clear role in the growth of HTTPS and TLS certificate use. But another organization also had a noticeable effect on the explosion of machine identities on the web. That’s Let’s Encrypt!
Let’s Encrypt started to offer its service as a Certificate Authority in 2015. As a trusted third-party source, Certificate Authorities (CAs) help to assure the authenticity of TLS certificates. DigiCert and Sectigo are both very frequently used CAs. However, using a CA’s services and deploying TLS certificates isn’t always cheap. To overcome these perceived price barriers, Let’s Encrypt offers CA services for free! Many organizations and entities found deploying TLS certificates to be too expensive until Let’s Encrypt entered the field. Now if you’re an entity on the web with little money, Let’s Encrypt can make securing your website with TLS and HTTPS feasible. Obviously, the possibility of deploying TLS certificates for free helped to drive the growth of HTTPS. And that’s great for everyone who uses the web.
The University of Michigan recently interviewed their faculty member J. Alex Halderman, who happens to be a co-founder of Let’s Encrypt. He talked about the importance of HTTPS.
“When HTTPS was invented in the 1990s, it was intended mostly for credit card transactions and online banking. But since then, the internet has become a much more dangerous place. Edward Snowden showed us that governments were surveilling traffic on a global scale. We've also seen instances where governments and others have changed internet traffic to attack the user's computer, or to use their computer to attack third parties.
So today, encryption is important not just for financial transactions but for all online communications. That's why it's important to make it accessible to every website operator, and Let's Encrypt is doing just that. It has been particularly good at driving HTTPS adoption on smaller websites that don't have the resources to get a certificate through the traditional process.”
And how is Let’s Encrypt able to provide TLS certificates for free?
“First, Let's Encrypt is non-profit and is funded mostly by donations from large tech companies. That's different from most certificate authorities. Secondly, and maybe counterintuitively, making certificates free dramatically reduces the cost of issuing them. Payment is a big source of friction that makes the process much harder to automate.
So once you remove that friction, certificates become much simpler to issue. Once we simplified the process, we were able to automate it by building a software system called the ACME protocol. ACME lowers the cost of each certificate Let's Encrypt issues to a fraction of a cent.”
In 2016, roughly 40% of websites were delivered through HTTPS. But now in 2019, a whopping 80% of all websites are delivered through HTTPS. That’s great, encrypting more and more of the web benefits everyone except for cyber attackers! But I don’t think any advantage is without disadvantages...
Here’s the disadvantage of the growth of machine identities on the web. They become more difficult to manage and keep track of. You don’t want a hostile party like a cyber attacker to acquire your organization’s TLS certificates. If you lose track of your TLS certificates and a cyber attacker acquires one, they can pretend to be your organization on the web. By exploiting those stray machine identities, they can perform man-in-the-middle attacks on the sessions between your web servers and your users.
“The explosion in the number and type of machines creates exciting opportunities for organizations. However, it also creates risks. Organizations must be able to identify, authenticate, and secure all the machines as well as their communication with other machines across the IT environment. That's difficult when devices and applications converse across multiple network ecosystems.
Ultimately, organizations can't manage this process manually. The only way organizations can ensure secure machine-to-machine communication at machine speed is by automating the process of identifying and remediating the identities of their machines.”
So, your organization should use whichever certificate authority works best for your needs, whether it’s Let’s Encrypt, GlobalSign, Entrust, or something else. But if you can’t manage your machine identities properly, all of that work encrypting your websites and web apps becomes useless. I could have the best door locks and the best physical keys to unlock them, but if I keep dropping them all over the city and they have my home address on them, I’m likely going to come home to a burglarized apartment. Because machine identities have their “home address” on them too.