LawTrust
News


Let’s encrypt, but let’s do it with identification

Let’s Encrypt, a “free, automated and open certificate authority”, recently announced that it had issued more than 20 000 000 active certificates by the end of 2016. Many web professionals have embraced Let’s Encrypt technology because it is free and offers automated tools to renew the certificate every 90 days.

Let’s Encrypt, a “free, automated and open certificate authority”, recently announced that it had issued more than 20 000 000 active certificates by the end of 2016. Many web professionals have embraced Let’s Encrypt technology because it is free and offers automated tools to renew the certificate every 90 days.

To understand what Let’s Encrypt offers, and what it doesn’t, one has to understand what Secure Sockets Layer (SSL) is, and where certificates come into the picture.

SSL is a technology that enables your web browser to communicate with a web server over an encrypted channel. This means even if someone (e.g. a spy agency, or a hacker) is snooping in on your internet activity on a particular website, the conversation between your internet browser and the server will be incomprehensible to the snooper.

SSL changes requests for information from plain text, for example “Credit Card No: 4535-5311-5644-3311”, to encrypted data that looks like this: “6.^.@.b.h..5”. To do this, the browser and the web server securely swap “keys” so that only they can decrypt the conversation, and nobody in between.

SSL certificates, on the other hand, certify that the website represents the organisation/individual it says it does. It’s great to have an encrypted conversation, but it’s even more important to know that the person/website you’re having the encrypted conversation with is bona fide.

SSL certificates were designed to solve this issue, and offer different levels of security from domain-validated certificates to extended validation certificates.

Domain-validated certificates only validate that the certificate is used on the domain it says it’s being used on, whereas extended validation certificates are only issued by certification authorities once a rigorous audit has been done via business registry lookups and telephonic validation.

Consider the Let’s Encrypt website itself, which uses one of its certificates. If you visit it in Google Chrome, you will see a green padlock indicating the site is “secure”.

The "green lock" is not the b-all and end-all of online security. (Image: LAWtrust)

The "green lock" is not the b-all and end-all of online security. (Image: LAWtrust)

But this website is only secure insofar as the communication between the browser and the website is secure, not that the organisation is bona fide and can, for example, be trusted to take your credit card details.

People who have been repeatedly told that the “green lock” symbol is a good thing will now have to dig a little deeper to find out whether a website is legitimate or not.

Malware distributors have already begun using free Let’s Encrypt certificates to distribute malware it is not going to be policing the content of the websites it certifies.

So where does this leave us? Certainly as information security professionals we should be encouraging the widespread adoption of encrypted communication using SSL, and Let’s Encrypt is one of the technologies that supports this adoption.

But equally we should encourage businesses to adopt SSL certificates that properly validate their information, so that their users can be comfortable knowing that the website they are visiting is owned and managed by an authentic business.

Free domain validation certificates have raised the benchmark in that web developers and hosting providers have no excuse for not providing basic encryption for their websites.

But our attention should now turn to the crucial issue of identification – how can we send signals to our users that our website is legitimate and represents the company they think they are communicating with?

The answer is extended validation certificates, which require the website owner to go through thorough audit checks before getting their name displayed in green on the URL bar.

Building trust in the digital world requires more than just encryption – we not only need to know that our communication is secure, we also need to know we are communicating with the correct individual or organisation.