Christophe Brocas published an article that looks at the irresistible rise of Let’s Encrypt — the free public key infrastructure (PKI) certification model that has swept over the Internet since 2015.
Christophe was able to interview key players Aaron Gable, Sarah Gran, Jacob Hoffman-Andrews and J.C. Jones about the decision to launch Let’s Encrypt, and its approach to identity assertion and certificate request — now standardized in RFC 8555.
Certification before Let’s Encrypt was a process with business model issues, and concerns about exactly why Certificate Authorities (CAs) were in your browser as a Trust Anchor, and what process determined issuance of a certificate. These problems were exemplified in the Diginotar incidents, where certificates were issued to unassociated entities, allowing Man-in-the-Middle attacks on trusted services like Gmail.
As Christophe notes, Let’s Encrypt became popular at a time when less than 40% of websites worldwide were being protected on-the-wire in the HTTPS/TLS protocol suite. Now at least 88% of sites worldwide use TLS protections, and of these, over 60% now certify with Let’s Encrypt.
This also relates strongly to the adoption of the TLS protocol more generally across the application protocols of the Internet, following on from RFC 7258 Pervasive Monitoring is an Attack first published in 2014.
Let’s Encrypt has had a massive influence on the deployment of containerized, machine-driven deployments. Fully scripted ‘hands off’ certifications can be run directly from the web engines of these systems, or using Dynamic DNS updates for systems that require wildcard and complex certificate naming.
Christophe writes as a member of the wider Internet community, reflecting on the massive social benefit of the decision to launch this model of certification, and its impact on privacy-preserving and trustable Internet services.
The rise of automation and the availability of a highly reliable worldwide certificate authority for free have led to massive changes in the PKI space. For example, the Certification Authority Browser Forum (CA/Browser Forum) — which oversees design principles of PKI in the web — has adopted shorter default certificate lifetimes.
Shorter certificate lifetimes reduce the overhang time of risk should a certificate be issued by mistake or require reissuance. A shorter lifetime removes dependencies on mechanisms like Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) checks, both of which leak information. This change relies on a widely available automatic issuance and renewal process.
Let’s Encrypt has pushed the pace and changed technology dependencies for the better.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.