News
News Of Heberdomaine: Computer Security: Let's Encrypt
Let's Encrypt is now the largest SSL certificate issuer for websites with 51.21% usage
With the growth in the number of computer attacks targeting websites on the web, there is no need to recall that one of the essential means of prevention against these hacks remains the adoption of security measures such as site encryption. web.
Let’s Encrypt, the certificate authority that launched its public services in 2015, offers tools in this direction with the provision of automated means for the installation and renewal of free certificates for the TLS encryption protocol. With these services, Let's Encrypt aims to offer a 100% secure web by allowing entities that have few financial and technical resources to use its services to secure their websites.
Let's Encrypt Certificate Authority distributed a large volume of free certificates per day in 2016, sometimes exceeding 100,000 certificates per day. At the end of June 2017, the authority indicated that it had exceeded 100 million certificates since its launch in December 2015. Remember that in February 2017, Let's encrypt was used by 13.70% of the total number of registered French domains.
To facilitate the deployment of its tools and further boost the adoption of its web security services, Let's Encrypt announced last July that it will offer "wildcard certificates" (generic certificates) starting in January 2018. According to the authority, these wildcard certificates are intended to secure any number of subdomains of a base domain. In other words, with these generic certificates, administrators will be able to use a single pair of certificate and key for a domain and all its subdomains, and no longer individually register a certificate for each web address as is currently the case. .
The authority explained that these generic certificates will be offered free of charge through version 2 of the ACME (Automated Certificate Management Environment) protocol. This protocol is the centerpiece of the service offered by Let’s Encrypt. This is the element that Let's Encrypt interacts with its subscribers "so that they can obtain and manage certificates". It allows Let's Encrypt to ensure that the validation, issuance and management methods are fully automated, secure and in line with its expectations. With version 2, ACME can be easily used by other certification authorities and will become an IETF standard with technical improvements. In addition, the authority explained that the API of version 2 of this protocol will coexist alongside version 1 pending the end of the life cycle of this first version of the protocol.
According to Josh Aas, Executive Director of ISRG, this will greatly facilitate the deployment and beyond, the adoption of HTTPS on the web. Indeed, having a unique pair of encryption keys and a certificate for a domain and its subdomains is by far much easier to manage than having multiple certificates for different domains and subdomains.
The sequel may have proven him right. Indeed, according to the NetTrack barometer, the certificates issued by Let's Encrypt represent 51.21% of market share in April 2018, far from COMODO CA Limited which occupies second place with its 14.82%. GoDaddy.com comes third with 6.14%.
Recall that, despite the praise from privacy activists as well as those in the security community who came out to salute the efforts and achievements of the non-profit organization, some critics have sounded the alarm bell by warning that Let's Encrypt could be guilty of going too far, too fast, and delivering too much of a good thing without having the right checks and balances in place.
The main concern is that while the growth in SSL/TLS usage is a positive trend for the entire web ecosystem, it also provides criminals with an easy way to make it easier to tamper with websites, l server impersonation, man-in-the-middle attacks, but also a means of getting malware through the cracks of corporate firewalls.
"Unaware users might think they are communicating with trustworthy sites because the site's identity has been validated by a certificate authority, not realizing that these are just domain validation certificates with no guarantees as to to the identity of the organization owning the site," said Asif Karel, director of product management at Qualys.
Of course, critics don't blame Let's Encrypt for these abuses, but they believe the authority could do a better job vetting applicants to weed out bad actors.
Open ticket
Submit a support ticket