The last few days were full of mixed emotions for Let’s Encrypt, the pioneer company in providing free certificates. On the downside, the company made headlines for having to revoke 3 million certificates in less than 24 hours because of a bug in its Certificate Authority Authorization (CAA) code—which can lead to the abuse of the certificates with that vulnerability.
Let’s Encrypt issued their one billionth certificate
On the bright side, Let’s Encrypt announced on 27 February 2020 that they reached a milestone: they issued their one billionth certificate. The company has every reason to be proud of this achievement.
“In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody,” said in blog post Josh Aas, Executive Director, and Sarah Gran, VP of Communications.
One key factor behind the rapid adoption of Let’s Encrypt certificates is the ease of use of their ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. The protocol was standardized as RFC 8555 in 2019, which allows the Web community to confidently build a rich ecosystem of software based on its regulations?.
\“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” added the company executives in their message.
"every rose has its thorn"
However, every rose has its thorn. As well as making it easier for legitimate users to improve security, issuing free certificates without the hassle of a complex process has made it simpler for cyber-criminals to hide their activities online. Criminals are getting more sophisticated and they are now using TLS certificate to obfuscate their movements.
As Kim Crawley wrote only recently, “Out of all the malware that made some kind of network connection during their infection process, about 23% communicated over HTTPS, either to send or receive data from the C2, or during installation when they may use HTTPS to conceal the fact that they are retrieving malicious payloads or components.” What does this mean? Simply, a lot of the network security systems will fail to detect malware that uses TLS encryption to hide itself.
Multi-perspective Domain Validation
This brings us to a second round of good news from Let’s Encrypt. The certificate provider announced on 19 February, a new security feature that protects from network attackers. The new feature is called multi-perspective domain validation and helps certificate authorities (CA) to certify that an applicant controls the domain they want a certificate for.
\Domain validation is a process that all CAs use to ensure that a certificate applicant controls the domain they want a certificate for. Typically, the domain validation process involves asking the applicant to place a file or token at a controlled location for the domain, such as a path or a DNS entry. Then the CA will check that the applicant was able to do so.
A potential issue with this process is that if a network attacker can hijack or redirect network traffic along the validation path (for the challenge request, or associated DNS queries), then the attacker can trick a CA into incorrectly issuing a certificate. This is precisely what a research team from Princeton demonstrated can be done with an attack on BGP.
With multi-perspective domain validation, instead of validating from one network perspective, certificate applicants are validated from multiple perspectives as well as from Let’s Encrypt data centers. “This makes the kind of attack described earlier more difficult because an attacker must successfully compromise three different network paths at the same time (the primary path from our data center, and at least two of the three remote paths). It also increases the likelihood that such an attack will be detected by the Internet topology community,” explained Let’s Encrypt in their blog.
Commenting on this new security feature, Kevin Bocek, VP, Security Strategy & Threat Intelligence, Venafi, said that "It’s great to see Let’s Encrypt increase the level of validation they use to better demonstrate ownership and control of a domain. However, we know that tens of thousands of Let’s Encrypt certificates are used by cyber attackers every day to make their phishing attacks more credible.
It’s easy for many businesses to assume that if they don’t use Let’s Encrypt certificates this isn’t their problem, but that’s not the case. Attackers can still get a Let’s Encrypt certificates that look like any domain in seconds. The only way to protect yourself is to have complete visibility over all the TLS certificates across the entire internet."
Do you have complete visibility across all your certificates? See how Venafi can help you.
- The Real Value of Certificate Authorities: Do Free Certificates Come at a Price?
- WildCard Certificates from Let’s Encrypt: Will the Rewards Outweigh the Risks?
- Let’s Encrypt Stops Certificate Hijack Flaw: Can Our Industry Do More?