You are using an older browser version. Please use a supported version for the best MSN experience.

Let’s Encrypt free HTTPS certification push exits beta

TechCrunch TechCrunch 12/04/2016 Natasha Lomas

An initiative to encourage more websites to encrypt connections by offering free digital certificates has today exited beta, six months on from the initial launch — the idea behind Let’s Encrypt being to lend an automated hand to smaller websites that might not have the resources to go about achieving public-key certification on their own.

In the six months since the initiative got up and running Mozilla, one of the organizations backing the push — which are gathered under the umbrella moniker of the Internet Security Research Group (ISRG) — says it has issued more than 1.7 million certificates, helping shift some 2.4 million domain names onto secure HTTPS connections. WordPress being a recent addition.

And while millions more encrypted connections sounds like progress, in reality it’s rather a drop in the ocean of unsecured online content — with only a minority (40 per cent) of page views encrypted as of December 2015, according to Mozilla, and just 65 per cent of online transactions using the secure Internet protocol HTTPS.

Alongside Mozilla, other organizations involved in the ISRG include Cisco, Akamai, the Electronic Frontier Foundation and IdenTrust. The group also lists a raft of sponsors on its website, including Chrome and Facebook.

As well as the obvious privacy risks to user data from unsecured web connections, from hackers or other types of snoopers, Google has also said it intends to flag unsecured connections in its popular Chrome browser — thereby potentially discouraging users from surfing to non-HTTPS websites in the first place, and providing a self-interested incentive to shift websites onto secure connections.

While Let’s Encrypt has the clear(ly worthy) goal of helping lock down more Internet connections, the free system has itself not been immune to abuse — as noted by security firm Trend Micro, which earlier this year found malvertisers had used a ‘domain shadowing’ technique to insert a redirect to a site hosting a banking trojan by creating a subdomain under a domain certified using Let’s Encrypt.

“Any technology that is meant for good can be abused by cybercriminals, and digital certificates like those of Let’s Encrypt’s is no exception, noted Trend Micro. “A certificate authority that automatically issues certificates specific to these subdomains may inadvertently help cybercriminals, all with the domain owner being unaware of the problem and unable to prevent it.”

“Users should also be aware that a “secure” site is not necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited,” Trend Micro added.

More from TechCrunch

image beaconimage beaconimage beacon