Skip to main content
banner image
venafi logo

Let’s Encrypt News: Can 1 Billion Certificates Protect Against Network Attackers?

Let’s Encrypt News: Can 1 Billion Certificates Protect Against Network Attackers?

1 billion let's encrypt certificates
March 9, 2020 | Anastasios Arampatzis

The last few days were full of mixed emotions for Let’s Encrypt, the pioneer company in providing free certificates. On the downside, the company made headlines for having to revoke 3 million certificates in less than 24 hours because of a bug in its Certificate Authority Authorization (CAA) code—which can lead to the abuse of the certificates with that vulnerability.



Let’s Encrypt Issued their One Billionth Certificate

On the bright side, Let’s Encrypt announced on 27 February 2020 that they reached a milestone: they issued their one billionth certificate. The company has every reason to be proud of this achievement.

“In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody,” said in blog post Josh Aas, Executive Director, and Sarah Gran, VP of Communications.

One key factor behind the rapid adoption of Let’s Encrypt certificates is the ease of use of their ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. The protocol was standardized as RFC 8555 in 2019, which allows the Web community to confidently build a rich ecosystem of software based on its regulations?.

“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” added the company executives in their message.

"every rose has its thorn"

However, every rose has its thorn. As well as making it easier for legitimate users to improve security, issuing free certificates without the hassle of a complex process has made it simpler for cyber-criminals to hide their activities online. Criminals are getting more sophisticated and they are now using TLS certificate to obfuscate their movements.

As Kim Crawley wrote only recently, “Out of all the malware that made some kind of network connection during their infection process, about 23% communicated over HTTPS, either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components.” What does this mean? Simply, a lot of the network security systems will fail to detect malware that uses TLS encryption to hide itself.

Multi-Perspective Domain Validation

This brings us to a second round of good news from Let’s Encrypt. The certificate provider announced on 19 February, a new security feature that protects from network attackers. The new feature is called multi-perspective domain validation and helps certificate authorities (CA) to certify that an applicant controls the domain they want a certificate for.

Domain validation is a process that all CAs use to ensure that a certificate applicant controls the domain they want a certificate for. Typically, the domain validation process involves asking the applicant to place a file or token at a controlled location for the domain, such as a path or a DNS entry. Then the CA will check that the applicant was able to do so.

A potential issue with this process is that if a network attacker can hijack or redirect network traffic along the validation path (for the challenge request, or associated DNS queries), then the attacker can trick a CA into incorrectly issuing a certificate. This is precisely what a research team from Princeton demonstrated can be done with an attack on BGP.

With multi-perspective domain validation, instead of validating from one network perspective, certificate applicants are validated from multiple perspectives as well as from Let’s Encrypt data centers. “This makes the kind of attack described earlier more difficult because an attacker must successfully compromise three different network paths at the same time (the primary path from our data center, and at least two of the three remote paths). It also increases the likelihood that such an attack will be detected by the Internet topology community,” explained Let’s Encrypt in their blog.

Commenting on this new security feature, Kevin Bocek, VP, Security Strategy & Threat Intelligence, Venafi, said that "It’s great to see Let’s Encrypt increase the level of validation they use to better demonstrate ownership and control of a domain. However, we know that tens of thousands of Let’s Encrypt certificates are used by cyber attackers every day to make their phishing attacks more credible.

It’s easy for many businesses to assume that if they don’t use Let’s Encrypt certificates this isn’t their problem, but that’s not the case. Attackers can still get a Let’s Encrypt certificates that look like any domain in seconds. The only way to protect yourself is to have complete visibility over all the TLS certificates across the entire internet."

Do you have complete visibility across all your certificates? See how Venafi can help you.

Related posts



Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more