It wasn’t that long ago that most websites weren’t secured with Transport Layer Security (TLS) encryption. You could tell because the sites started with HTTP instead of HTTPS. Today, 81% of web pages use HTTPS globally, and 91% are secured in the US. For that vast increase in secure web browsing, we owe a large debt of gratitude to Internet Security Research Group (ISRG) with its Let’s Encrypt project. Let’s Encrypt has just issued its billionth web security certificate.
Without these TLS certificates, it’s trivial to steal your login and password over Wi-Fi. The only way to have reliable security is for every website to use encrypted connections. One reason that hadn’t happened is that TLS certificates were both expensive to get and cumbersome to administer. Then, along came Let’s Encrypt in 2015.
“Encryption should be the default for the web,” said Josh Aas, the ISRG’s executive director and senior technology strategist at Mozilla when Let’s Encrypt was first formed. “The web is a complicated place these days; it’s difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything. Let’s Encrypt simplifies this.”
It wasn’t just that Let’s Encrypt gave people and companies free TLS certificates, it also made TLS certificates easy to use. It did this by making the process automatic with the Automatic Certificate Management Environment (ACME) protocol. ACME, which is now an IETF Standard, RFC 8555, automates public-key infrastructure (PKI) certificate generation, making it possible to generate millions of secure certificates quickly.
Thanks to ACME, Let’s Encrypt now serves almost 200 million websites with only two new staffers and a 28% budget increase since June 2017. We should also be so efficient!
To use ACME to get a Let’s Encrypt certificate, you need a client. One of the best ACME clients is the Electronic Frontier Foundation (EFF)‘s Certbot. The EFF developed Certbot to make it as easy as possible to secure your website with both Let’s Encrypt or any other CA that supports ACME. There are also many other ACME clients.
But as great as all this is for website owners who want to secure their sites’ connections, don’t think for a New York minute that a secure site is actually a good site. It may be a website of scum and villainy.
By automating TLS certificate deliveries, Let’s Encrypt has made it easy for bad actors to get secure sites. For instance, hackers have misused Let’s Encrypt certificates to help hide malicious websites as sites coming from such companies as Apple, Google, and PayPal. And, of course, any rotten site can get a TLS certificate as well. In short, just because you can connect to a site securely doesn’t mean that the site itself is safe.
That said, Let’s Encrypt has been working on improving the quality of its security. For example, Let’s Encrypt recently strengthened its domain validation methods. This is the process all TLS certificate authorities use to ensure that a certificate applicant actually controls the domain they want a certificate for. The net result is it’s harder for someone to get away with trying to hijack a site.
Still, problems and all, Let’s Encrypt should be lauded for making a safer place. Let’s Encrypt is a non-profit operation and could use your help. If your company or organization would like to sponsor Let’s Encrypt, please email them at firstname.lastname@example.org. You can also contribute individually.