Also see: Linux Security Made Simple
By now, most of you have heard about the “Let’s Encrypt” initiative. Provided by the Internet Security Research Group, the service uses open certificate authority. Also good: it’s free and automated.
The idea being that it’s high time more websites had a simple, easy to manage method to offer https encryption. As luck would have it, the initiative is just out of its beta phase and has been adding sponsors like Facebook, Cisco, and Mozilla to their list of organizations that view this initiative as important.
In this article, I want to examine this initiative carefully, taking a look at the good and the bad of Let’s Encrypt.
Let’s Encrypt: the good stuff
Before Let’s Encrypt was made available to webmasters, obtaining a certificate for https meant spending a fair sum of money through trusted CA (certificate authorities) to gain the ability to encrypt traffic for your website.
Let’s Encrypt has completely changed the process of adding a website certificate to your website. Not only have they made access to a certificate completely free, they’ve also made sure both the installation process and the ability to update your certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without the need to spend extra cash in doing so. Meaning that the traffic going to any website using Let’s Encrypt is, in essence, protected.
Then there are the tools provided to make installing and setting up a certificate as simple as possible. On a Linux server, for example, one can rely on the EFF’s Certbot to install a Let’s Encrypt certificate by simply copying and pasting a few lines of code. For installation, simply wget the download and chmod the permissions as prescribed by the Certbot site.
Then run Certbot using the appropriate option (apache, for example). For those who are concerned about Certbot making sweeping changes to their server configuration, you can also run the tool to manage certificate only mode. This allows you to make any needed server changes after installing the certificate manually.
What really makes using Certbot awesome, is that it provides you with the ability to test out automatic certificate renewal in a testing environment instead of doing so “live!” As an added bonus, Cerbot supports both Apache and Nginx on various Linux distributions.
Let’s Encrypt: the bad stuff
The biggest problem with Let’s Encrypt is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we’re celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied.
Even though Let’s Encrypt is merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the “green bar” https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.
This means that even though identity isn’t actually verified at the same level as a green bar https website, most site visitors won’t really know the difference. This is terrifying and we should be concerned about this. What most people don’t realize is that a secure connection to an untrustworthy website doesn’t mean it’s safe to use.
To add further concern, there’s very little preventing malware distributors from using Let’s Encrypt certificates to make malware distribution websites look more official. Not only has it happened already, worse, is the fact that Let’s Encrypt’s stance on this issue is quite weak.
The initiative is putting far too much trust into the general public’s understanding as to how https actually works. Fun fact folks – most people are clueless about tech. And the reality is merely comparing new registrations with Google’s records won’t be enough. Perhaps the blame for education needs to fall with the browsers instead?
Firefox and Chrome need to educate their users
You know that first page that opens up in Firefox or Chrome when you install it? Imagine if the information on that page was useful! As in, a quick run through about the difference between a domain validation certificate and an extended validation certificate! If Firefox and Chrome both did this, I’d feel a lot better about the whole democratization of “https for free” situation.
As big of a pain in the backside as most certificate providers happen to be, the fact that folks paid money for a domain certificate did in fact provide a low level barrier to entry. Now that this is gone, we need to educate folks on the importance of recognizing the identity of the sites they visit, not merely looking for those silly little green padlocks. Sadly, even though Mozilla has someone on the technology advisory board for the initiative, we aren’t likely to see my suggestion put into action anytime soon.
Putting aside the responsibility of who needs to educate whom for a minute, I think the bigger question website owners need to consider is whether any of this matters? Meaning, should all websites provide encryption for their site visitors?
Let’s Encrypt provide a false sense of security?
Bundled with strong security practices, I think offering encryption to your site’s visitors is a great valued added service. For websites where forms are submitted or logins are taking place, the offering of https is even more valuable. But for read only websites, however, I feel like it’s potentially giving folks a false sense of security. Worse, I fear that webmasters may also find themselves being lulled into a false sense of what’s best for their websites.
I believe that Let’s Encrypt’s best contribution would be to provide support for IP cameras with Internet login pages exposed to the Web, Plex servers not participating in Plex Pass protection and other related examples where an encryption tunnel is badly needed. As for offering it to any and all websites, it’s great…but not without greater education to the casual website visitor. People need to understand where encryption ends and commonsense begins. In short, I think it’s fantastic for sites where someone is potentially logging into a site or otherwise similar situations.
What say you? Do you think that websites offering https to their website visitors are providing a badly needed service? Perhaps like me, you think it depends on other factors before automatically signing off with the idea of https for all? Hit the Comments, tell me what your thoughts are regarding Let’s Encrypt.