Let's Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it's
issued a billion certificatessince its launch in 2015.
The CA issued its
first certificatein September 2015, before eventually reaching
100 million in June2017. Since late last year, Let's Encrypt has issued at least 1.2 million certificates each day.
The development comes as over 80 percent of the web page loads have begun using
HTTPS worldwide, and
91 percentin the US alone.
HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation.
"Since 2017, browsers have started requiring HTTPS for more features, and they've greatly improved the ways in which they communicate to their users about the risks of not using HTTPS," the company said. "When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS."
Launched with the goal of speeding up the web's encryption rate and bringing down the costs of enabling HTTPS, Let's Encrypt's ACME (Automatic Certificate Management Environment) protocol offers an easy means to
set up and issue SSL certificatesthat can be
renewed and replacedwithout manual intervention from webmasters.
Electronic Frontier Foundation's
Certbotis one such popular open-source, free-to-use ACME client that enables HTTPS on websites by automatically deploying Let's Encrypt certificates — which are
valid only for 90 days— and managing renewals.
But with bad actors abusing Let's Encrypt HTTPS certificates to
mask malicious trafficand direct unsuspecting users to
malicious sites, the company has
taken stepsto "ensure that a certificate applicant actually controls the domain they want a certificate for."
Apple Takes a Significant Step Forward
But that's not all. Apple has managed to do what most CAs were hesitant to accomplish all this time: shorten the maximum validity of issued certificates to one year.
The tech giant recently announced that starting 1st September 2020, Safari will reject new HTTPS certificates that expire more than 13 months (or 398 days) from their creation date, effectively bringing down the
maximum certificate lifetimefrom 825 days.
This follows a
failed ballotheld last September by CA/Browser Forum to reduce certificate lifetimes. Although Let's Encrypt, certSIGN, Apple, Cisco, Google, Microsoft, Mozilla, and Opera voted in favor of the move, close to two-thirds of participating CAs rejected the idea.
Apple's move to shorten the lifespan of HTTPS certificates means that CA's like Let's Encrypt and ACME clients such as Certbot will only become more valuable going forward, as it would force the website administrators to use a certificate issued for 1 year or less.
How Do Short-Lived Certificates Increase Security?
Capping certificate lifetimes improves website security, not least because it reduces the possibility of criminals stealing neglected certificates to mount phishing and malware attacks.
Secondly, mobile versions of Chrome and Firefox do not proactively check for certificate status, implying a website whose certificate has been revoked will still continue to load without giving any warning to the user.
This is for
performance reasonsas browsers will have to end up downloading certificate revocation lists (CRLs) that can be quite large in size, affecting page loads.
Instead, Chrome uses
CRLSetsto "block certificates in emergency situations," while Mozilla has been experimenting with
CRLitein its nightly builds.
Aside from these techniques, the Firefox maker has also announced technical specifications for a new cryptographic protocol called "
Delegated Credentials for TLS," which "allows companies to take partial control over the process of signing new certificates for themselves—with a validity period of no longer than 7 days and without entirely relying on the certificate authority."
It goes without saying that Apple's decision to cut certificate lifetimes is a significant step forward for security. And if it helps proactively prevent users from connecting to compromised websites, it can only be a good thing.
via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow
