We thought it was about time we looked at Let’s Encrypt and tackled some of the questions and concerns surrounding it. We have been quite slow to adopt Let’s Encrypt due to its relative newness, and certain concerns about security and trust signals. Here’s a full explanation of the good and bad where Let’s Encrypt is concerned.
The idea at the root of Let’s Encrypt is that it’s well past time that websites had a simpler, easier method for managing and offering https encryption. Now that it’s out of its beta testing phase, Let’s Encrypt has been stacking up some impressive sponsors, including Mozilla, Facebook, and Cisco, all of whom have put their names behind the importance of Let’s Encrypt.
But what’s it really all about?
Let’s Encrypt: the good
Prior to Let’s Encrypt becoming available for webmasters, it was tricky to obtain a certificate for https. The process necessitated spending a fair chunk of change and going through a trusted certificate authority, in order to encrypt your website’s traffic.
Let’s Encrypt revolutionised this process, by making access to certificates totally free, and ensuring the installation process, as well as your certificate’s update capabilities, are both as easy as possible. The result is that website owners are now able to offer https and all its benefits to site visitors but don’t have to spend a lot of extra money to do it. Visitors to a website that’s using Let’s Encrypt are essentially protected.
In addition to this, there are tools provided so that the installation and setup of your certificate are as painless as possible.
Let’s Encrypt: the bad
While Let’s Encrypt sounds great in theory, it’s not without its problems. It effectively democratises who can access https for their website. At face value this should be positive, however, human nature must be taken into consideration. The majority of the population who are not IT professionals and/or geeks will see https on a site and immediately place their trust in it. That extra “s” carries trust implicitly.
Although Let’s Encrypt is providing encryption only, its presence on a website gives the impression to a lot of visitors that they can place the same levels of trust in the site as they can for so-called ‘green bar’ sites with Extended Domain Validation – this is a https address with a padlock logo next to the business name in the website address bar.
With Let’s Encrypt, anyone can gain https status, but not everyone has been verified to the extent required for green bar status. Since the majority of site visitors don’t understand this subtle difference, it opens up some worrying possibilities.
Having a secure connection to a website does not make that site trustworthy. It doesn’t mean you can use it safely.
As a further concern, little protection preventing distributors of malware from making use of Let’s Encrypt exists. Malware distributors have already taken advantage of this. For example, around 15,000 certificates have been issued to phishing sites containing ‘PayPal’ as a term. It’s been estimated that 96.7% of the certificates relating to PayPal issued by Let’s Encrypt are for fraudulent sites.
Let’s Encrypt’s stance in response to this was less than comforting.
The problem here is a lack of understanding where the general public is concerned, regarding the manner in which https really works. With enough understanding, Let’s Encrypt would be safe to use and we would be able to take advantage of its many benefits. Until then we shall proceed with care, and hope this information helps raise awareness of the issue.
At catalyst2, we are constantly reviewing the situation around Let’s Encrypt and at the moment we see a significant disconnect between trust signals and “technical” security.