2017 was an incredible year for web encryption and the Let’s Encrypt program was a clear leader in this progress.
As Josh Aas, executive director for the Internet Security Research Group, recently wrote on the Let’s Encrypt blog: “[In 2017, We] more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million… Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year.”
Encryption is clearly valuable asset for many organizations and individuals. But its popularity has also made it a lucrative tool for cyber criminals, who use encryption to mask malicious behavior.
Let’s Encrypt recently discussed their initiatives for the new year. However, as we enter 2018, it’s important we promote encryption and understand it’s weaknesses at the same time. “It’s commendable how far Let’s Encrypt has come,” said Hari Nair, director of product management for Venafi. “They are well and truly on the way to fulfilling their mission: encrypting the web.”
Nair offered his insights into Let’s Encrypt’s 2018 positions. Overall, he is pleased with their progress, but urges caution with some of the goals:
ACME upgrade to version 2. “This is a good thing,” said Nair. “ACME v2 is targeted as an IETF standard, which will increase adoption. In addition, it is being developed with input from other CAs, as opposed to ACME v1, which was designed primarily for Let’s Encrypt. Overall, this will encourage other CAs to introduce themselves to ACME interfaces, leading to more certificates issued faster with some level of automation.”
“Venafi introduced ACME in our product portfolio last year, in both our on-premises and in-cloud products. With this initiative, enterprises can leverage this soon-to-be-standard without being tied into a single CA.”
Support for wild-carded certificates. “Let’s Encrypt has the right intentions, but I’m concerned this feature will be abused by consumers,” said Nair. “Wild-carded certificates can protect some TLS end-points and should only be used when a more secure alternative does not exist. Unfortunately, uninformed administrations can use them to revert to bad practices.”
“Ultimately, wild-carded certificates are a high value target for malicious actors, especially when they are not secured properly within hardware security modules (HSMs). As such, I’m not particularly comfortable with this goal from Let’s Encrypt.
The move to support full (end-to-end) ECDSA. “This is a fine position,” said Nair. “But, I doubt it will lead to any large-scale adoption of ECC. The reality is that ECC is arguably just as susceptible to quantum computing attacks as RSA. However, it may help with adoption of public key cryptography in resource-constrained environments, like IoT devices.”
“Overall, Let’s Encrypt’s success accelerates the commoditization of certificates,” concluded Nair. “Both Venafi and Let’s Encrypt place immense value in the protection of machine identities, I’m looking forward to what the next year brings.”