Security Informatique : Let's Encrypt

Let's Encrypt is now the largest issuer of SSL certificates for websites with 51.21% usage
With the growing number of cyberattacks targeting websites on the web, it is unnecessary to remind that one of the essential prevention methods against such hacking remains the adoption of security measures such as website encryption.
Let's Encrypt, the certificate authority that launched its public services in 2015, offers tools in this direction by providing automated means for installing and renewing free certificates for the TLS encryption protocol. With these services, Let's Encrypt aims to deliver a 100% secure web by enabling entities with limited financial and technical resources to use its services to secure their websites.

The Let's Encrypt certificate authority distributed a large volume of free certificates per day in 2016, sometimes exceeding the 100,000 certificates per day mark. At the end of June 2017, the authority indicated it had crossed the 100 million certificates mark since its launch in December 2015. Recall that in February 2017, Let's Encrypt was used by 13.70% of all registered French domains.

To facilitate the deployment of its tools and further boost the adoption of its web security services, Let's Encrypt announced last July that it would offer wildcard certificates starting in January 2018. According to the authority, these wildcard certificates aim to secure any number of subdomains of a base domain. In other words, with these wildcard certificates, administrators can use a single certificate and key pair for a domain and all its subdomains, no longer needing to register a certificate individually for each web address as is currently the case.

The authority explained that these wildcard certificates would be offered for free through version 2 of the ACME (Automated Certificate Management Environment) protocol. This protocol is the centerpiece of the service offered by Let's Encrypt. It is the element with which Let's Encrypt interacts with its subscribers "so they can obtain and manage certificates." It allows Let's Encrypt to ensure that validation, issuance, and management methods are fully automated, secure, and compliant with its expectations. With version 2, ACME can be easily used by other certificate authorities and will become an IETF standard with technical improvements. Furthermore, the authority explained that the version 2 API of this protocol will coexist alongside version 1 until the end of the lifecycle of this first version of the protocol.

According to Josh Aas, Executive Director of ISRG, this will significantly facilitate deployment and, beyond that, the adoption of HTTPS on the web. Indeed, having a single pair of encryption keys and a certificate for a domain and its subdomains is far easier to manage than having multiple certificates for different domains and subdomains.

Subsequent events may have proven him right. Indeed, according to the NetTrack barometer, certificates issued by Let's Encrypt represented 51.21% market share in April 2018, far ahead of COMODO CA Limited in second place with its 14.82%. GoDaddy.com came in third with 6.14%.

Recall that despite the praise from privacy advocates and those in the security community who have applauded the non-profit organization's efforts and achievements, some critics have sounded the alarm, warning that Let's Encrypt could be guilty of going too far, too fast, and giving away too much good without having proper checks and balances in place.

The main concern is that while the growth of SSL/TLS protocol usage is a positive trend for the entire web ecosystem, it also provides criminals with an easy way to facilitate website spoofing, server identity theft, man-in-the-middle attacks, and also a way to get malware through the net of corporate firewalls.

"Unwitting users might think they are communicating with trustworthy sites because the site's identity has been validated by a certificate authority, not realizing that these are only domain validation certificates without any guarantee as to the identity of the organization owning the site," said Asif Karel, Director of Product Management at Qualys.

Of course, critics do not hold Let's Encrypt responsible for these abuses, but they believe the authority could do a better job vetting applicants to weed out bad actors.

"Let's Encrypt can, in theory, be tricked," acknowledged Josh Aas. "However, the same is true for other certificate authorities. People act as if Let's Encrypt is the first certificate authority to be tricked. That's absurd."

Protégez votre site web avec un certificat SSL Let's Encrypt et assurez la sécurité des données échangées entre vos visiteurs et votre serveur. Le protocole HTTPS améliore non seulement la confiance des utilisateurs, mais aussi votre positionnement dans les moteurs de recherche.

Facile à installer et entièrement gratuit, Let's Encrypt est la solution idéale pour sécuriser vos sites, boutiques en ligne et applications web tout en renforçant votre crédibilité en ligne.

see our offers