Free HTTPS tool Let’s Encrypt yesterday announced it has issued its billionth certificate, in what it claims to be a milestone for user privacy and security.
Backed by the non-profit Internet Security Research Group (ISRG), the initiative has good reason to make such claims, having made what was once a complex and expensive process — registering and managing TLS certificates — free and easy.
In a blog post from executive director, Josh Aas, and VP of comms, Sarah Gran, the two revealed how HTTPS page loads have risen from 58% of the global total in 2017 to 81%, and even higher (91%) in the US.
“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” they explained.
“When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
However, there’s another side to the free encryption message: as well as making it easier for legitimate users to improve security, it has made it simpler for cyber-criminals to hide their activities online.
In 2016, for example, Trend Micro reported that malvertisers were using Let’s Encrypt to hide malicious advertising from network security tools.
A couple of years later, a flaw in Let’s Encrypt’s ACME protocol was found which could have allowed attackers to obtain certificates for domains they did not own.
However, the organization has also been improving its own security and authentication processes. Last week it launched a multi-perspective domain validation system to ensure certificate applicants control the domains they’re hoping to register a cert for.