Home / Blog / Let’s Encrypt: The democratisation of SSL certificates

Let’s Encrypt: The democratisation of SSL certificates

Posted on 02/02/2016, by Antonio Rodríguez (INCIBE)
Let’s Encrypt: The democratisation of SSL certificates

There are still a great number of websites that do not use SSL/TLS certificates to encrypt their connections; this has been a problem in web communications security for years.

There are various reasons for this; however, perhaps the most important is the fact that historically, having an SSL certificate was unviable economically, particularly for personal websites, SMEs, or small online shops that do not generate sufficient income to be able to afford a certificate.

Today, “non-premium certificates”, which are much cheaper, are available. However, these are still "taboo" for many people, who have the impression that because they are cheap they "don't protect you as much"; the reality is that the certificate is only a "trust mechanism" in the organisation that issues the certificates, and bears no relation to the strength of encryption (a website with a self-signed certificate is still encrypted, even though it has not been certified by a third party).

To close this gap, Let’s Encrypt was created recently by a group of security researchers, with the support of large organisations including (among others) EFF, Mozilla, Google, Cisco, Akamai, ...

Let’s Encrypt is a non-profit Certificate Authority which makes the generation of certificates free, automated and simple. The premise is to “democratise” the use of secure communications by making this type of certificates available for everybody. This CA is supported by the vast majority of the most used browsers.

Let's Encrypt en Chrome

One of the big concerns in certain sectors about the certificates being free is the possibility that they may be abused by malware developers, for whom it would be simple and easy to use them on malware domains, given that they would not need to invest any money.

The truth is that, although now it has been made easier, this was already being done with paid certificates, especially low-cost certificates, which are ridiculously cheap in comparison to the amounts that can be made through criminal activity.

On the other hand, imposing an “economic difficulty” to hinder criminals is a serious security error: for them, it is only a small obstacle which they can easily overcome, whereas for people who need certificates for legitimate purposes, it is a major barrier. This has brought us to the current situation, where a large proportion of websites are not protected for purely economic reasons.

Instead of protecting everybody, the opposite effect has been obtained, creating general insecurity by imposing a trust model based on money, instead of basing it on an international “public” authority, a function filled for example by ICANN for the assignation of domain names.

Another misconception is that this system will allow the creation of valid certificates for other people’s domains, enabling MiTM attacks.

This is assumption is something of a knee-jerk reaction, presumably fed by certain companies selling paid certificates who are not prepared to compete with free alternatives.

Any domain-validated (DV) certificate (the system Let's encrypt uses) is susceptible to these so-called "attacks"; however, to carry them out it is necessary to compromise and gain control over the domain, in which case the entire structure would be compromised, so the protection offered by SSL/TLS would be voided.

It should be stressed that not only Let’s Encrypt certificates are domain-validated: all low-cost commercial certificates are also DV, and could just as easily be used for compromised domains.

The advantage of DV is precisely that it facilitates automation and ease of use, without prolonged procedures, which would help towards achieving the objective of encryption being used on the communications of all websites.

Making encrypted traffic in web communications universally available is a higher priority than trying to stop the use of encryption by criminals, which is a utopia in which we are still investing efforts which we should be focusing on other strategies.

Although the Let’s Encrypt service is still in beta, it is now sufficiently developed to be used on any website, with minimal maintenance. Currently, the certificates are valid for three months, although they can be programmed for automatic renewal (for example, with Cron) using software available on GitHub.

This software also features plugins which facilitate installation on servers such as Apache or Nginx, and unofficial plugins are even beginning to appear for other cloud platforms, such as Amazon AWS or Microsoft Azure.

Let’s Encrypt is an important initiative, which may mark the start of a new era in web communications security.

Whether paid or free, there is no longer any reason why we shouldn’t all start using SSL/TLS.