Let's Encrypt Issued A Billion Free SSL Certificates in the Last 4 Years #Security - The Entrepreneurial Way with A.I.

Breaking

Friday, February 28, 2020

Let's Encrypt Issued A Billion Free SSL Certificates in the Last 4 Years #Security


Let's Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it's

issued a billion certificates

since its launch in 2015.

The CA issued its

first certificate

in September 2015, before eventually reaching

100 million in June

2017. Since late last year, Let's Encrypt has issued at least 1.2 million certificates each day.

The development comes as over 80 percent of the web page loads have begun using

HTTPS worldwide

, and

91 percent

in the US alone.

HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation.

"Since 2017, browsers have started requiring HTTPS for more features, and they've greatly improved the ways in which they communicate to their users about the risks of not using HTTPS," the company said. "When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS."

Launched with the goal of speeding up the web's encryption rate and bringing down the costs of enabling HTTPS, Let's Encrypt's ACME (Automatic Certificate Management Environment) protocol offers an easy means to

set up and issue SSL certificates

that can be

renewed and replaced

without manual intervention from webmasters.

Electronic Frontier Foundation's

Certbot

is one such popular open-source, free-to-use ACME client that enables HTTPS on websites by automatically deploying Let's Encrypt certificates — which are

valid only for 90 days

— and managing renewals.

But with bad actors abusing Let's Encrypt HTTPS certificates to

mask malicious traffic

and direct unsuspecting users to

malicious sites

, the company has

taken steps

to "ensure that a certificate applicant actually controls the domain they want a certificate for."

Apple Takes a Significant Step Forward

But that's not all. Apple has managed to do what most CAs were hesitant to accomplish all this time: shorten the maximum validity of issued certificates to one year.

The tech giant recently announced that starting 1st September 2020, Safari will reject new HTTPS certificates that expire more than 13 months (or 398 days) from their creation date, effectively bringing down the

maximum certificate lifetime

from 825 days.

This follows a

failed ballot

held last September by CA/Browser Forum to reduce certificate lifetimes. Although Let's Encrypt, certSIGN, Apple, Cisco, Google, Microsoft, Mozilla, and Opera voted in favor of the move, close to two-thirds of participating CAs rejected the idea.

Apple's move to shorten the lifespan of HTTPS certificates means that CA's like Let's Encrypt and ACME clients such as Certbot will only become more valuable going forward, as it would force the website administrators to use a certificate issued for 1 year or less.

How Do Short-Lived Certificates Increase Security?

Capping certificate lifetimes improves website security, not least because it reduces the possibility of criminals stealing neglected certificates to mount phishing and malware attacks.

Secondly, mobile versions of Chrome and Firefox do not proactively check for certificate status, implying a website whose certificate has been revoked will still continue to load without giving any warning to the user.

This is for

performance reasons

as browsers will have to end up downloading certificate revocation lists (CRLs) that can be quite large in size, affecting page loads.

Instead, Chrome uses

CRLSets

to "block certificates in emergency situations," while Mozilla has been experimenting with

CRLite

in its nightly builds.

Aside from these techniques, the Firefox maker has also announced technical specifications for a new cryptographic protocol called "

Delegated Credentials for TLS

," which "allows companies to take partial control over the process of signing new certificates for themselves—with a validity period of no longer than 7 days and without entirely relying on the certificate authority."

It goes without saying that Apple's decision to cut certificate lifetimes is a significant step forward for security. And if it helps proactively prevent users from connecting to compromised websites, it can only be a good thing.



via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow