Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday March 02 2020, @10:15AM   Printer-friendly
from the one-for-you-and-one-for-me-and-one-for... dept.

[Update 2020-03-02 08:34:00 UTC. Full disclosure: SoylentNews uses Let's Encrypt certificates.--martyb]

HTTPS for all: Let's Encrypt reaches one billion certificates issued:

Let's Encrypt, the Internet Security Research Group's free certificate signing authority, issued its first certificate a little over four years ago. Today, it issued its billionth.

The ISRG's goal for Let's Encrypt is to bring the Web up to a 100% encryption rate. When Let's Encrypt launched in 2015, the idea was pretty outré—at that time, a bit more than a third of all Web traffic was encrypted, with the rest being plain text HTTP. There were significant barriers to HTTPS adoption—for one thing, it cost money. But more importantly, it cost a significant amount of time and human effort, both of which are in limited supply.

Let's Encrypt solved the money barrier by offering its services free of charge. More importantly, by establishing a stable protocol to access them, it enabled the Electronic Frontier Foundation to build and provide Certbot, an open source, free-to-use tool that automates the process of obtaining certificates, installing them, configuring webservers to use them, and automatically renewing them.

When Let's Encrypt launched in 2015, domain-validated certificates could be had for as little as $9/year—but the time and effort required to maintain them was a different story. A certificate needed to be purchased, information needed to be filled out in several forms, then one might wait for hours before even cheap domain-validated certificates would be issued.

Once the certificate was issued, it (and its key, and any chain certificates necessary) needed to be downloaded, then moved to the server, then placed in the right directory, and finally the Web server could be reconfigured for SSL.

Every one to three years, you'd need to do the whole thing over again—perhaps only replacing the certificate and key, perhaps also replacing or adding new intermediate chain certificates.

The whole thing was (and is) frankly, a mess... and can easily result in downtime if an infrequently practiced procedure doesn't run smoothly.

[...] In June of 2017, Let's Encrypt was two years old and served its ten millionth certificate. The Web had gone from under 40% HTTPS to—in the United States—64% HTTPS, and Let's Encrypt was servicing 46 million websites.

Today, Let's Encrypt's billionth certificate has been issued, it services 192 million websites, and the United States' portion of the Internet is a whopping 91-percent encrypted. The project manages this on nearly the same staff and budget it did in 2017—it has gone from 11 full-time staff and a $2.61 million budget then to 13 full-time staff and a $3.35 million budget today.

None of this would be possible without a commitment to automation and open standards. We gushed about how easy the EFF's Certbot makes it to deploy and renew Let's Encrypt certificates—but that contribution is only possible because of Let's Encrypt's own focus on standardizing an open ACME protocol that anyone can build a client to operate.

In addition to building and publishing a stable, capable protocol, Let's Encrypt put in the work to submit and ratify it with the Internet Engineering Task Force (IETF), resulting in RFC 8555.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Mojibake Tengu on Monday March 02 2020, @12:09PM (11 children)

    by Mojibake Tengu (8598) on Monday March 02 2020, @12:09PM (#965435) Journal

    I am very sullen of Let's Encrypt. Those certificates are too short time, which may be just annoying for true computers only but that makes them completely unusable for embedded devices. Reflashing those every couple of months is not only a technical madness but it contributes to their decrease of lifetime.

    --
    Respect Authorities. Know your social status. Woke responsibly.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Monday March 02 2020, @12:41PM (3 children)

    by Anonymous Coward on Monday March 02 2020, @12:41PM (#965440)

    I am very sullen of Let's Encrypt. Those certificates are too short time, which may be just annoying for true computers only but that makes them completely unusable for embedded devices. Reflashing those every couple of months is not only a technical madness but it contributes to their decrease of lifetime.

    Another good reason not to connect IoT garbage to the larger Internet.

    Like that Deutsche scheiser porn you've got in a hidden folder, keep those botnet-members-waiting-to-happen off the 'net!

    • (Score: 2) by Mojibake Tengu on Monday March 02 2020, @02:39PM (2 children)

      by Mojibake Tengu (8598) on Monday March 02 2020, @02:39PM (#965486) Journal

      Like that Deutsche scheiser porn you've got in a hidden folder

      Coward Dude, I don't use so called hidden folders for pr0n. I use ZFS pools over geli encrypted arrays for that.

      --
      Respect Authorities. Know your social status. Woke responsibly.
      • (Score: 0) by Anonymous Coward on Monday March 02 2020, @11:36PM (1 child)

        by Anonymous Coward on Monday March 02 2020, @11:36PM (#965736)

        There are two types of users:

        C:\Users\Timmy\Desktop\homework\English\term paper\research\additional\library PDFs\pictures\

        and

        /mnt/NAS/porn

        • (Score: 0) by Anonymous Coward on Tuesday March 03 2020, @05:25AM

          by Anonymous Coward on Tuesday March 03 2020, @05:25AM (#965869)

          So there are advantages to not having a wife or girlfriend ;)

  • (Score: 0) by Anonymous Coward on Monday March 02 2020, @01:47PM (2 children)

    by Anonymous Coward on Monday March 02 2020, @01:47PM (#965460)

    Reflashing those every couple of months is not only a technical madness but it contributes to their decrease of lifetime.

    Err, what?? Why would these be running on public CA system anyway?

    • (Score: 3, Insightful) by Mojibake Tengu on Monday March 02 2020, @02:42PM (1 child)

      by Mojibake Tengu (8598) on Monday March 02 2020, @02:42PM (#965488) Journal

      Because, if the IoT device has a https controlling interface, common browsers will reject it without proper CA.
      Thusly, Let's Encrypt defeats the most important need of today's internet. I suspect this is as planned.

      --
      Respect Authorities. Know your social status. Woke responsibly.
      • (Score: 0) by Anonymous Coward on Monday March 02 2020, @03:19PM

        by Anonymous Coward on Monday March 02 2020, @03:19PM (#965513)

        Want some cheese with that?

        Especially because it's so hard to set an exception on firefox, Chrome and IE [stackoverflow.com].

        Geez, Louise!

  • (Score: 0) by Anonymous Coward on Monday March 02 2020, @02:21PM (1 child)

    by Anonymous Coward on Monday March 02 2020, @02:21PM (#965474)

    Browser makers are here to help you. There will be no long living certs soon. Ain't that nice?

    • (Score: 0) by Anonymous Coward on Tuesday March 03 2020, @01:31PM

      by Anonymous Coward on Tuesday March 03 2020, @01:31PM (#965953)

      The rejection of long lived certs is easier to implement than the revocation of long lived certs.

      Additionally, the short lived cert thing makes the revocation lists shorter.

      I'm not saying it is the best solution (personally, I prefer a solution like certificate notaries where you ask a bunch of them to verify that the cert they get for a site is the same as what you got. It even works well with self signed certs (as they will still go to every CN). This allows you to verify that either you are not being MitM'd or the entire world is. It makes the assumption that if the entire world is being MitM'd that someone will notice.

  • (Score: 2) by Thexalon on Monday March 02 2020, @08:30PM (1 child)

    by Thexalon (636) on Monday March 02 2020, @08:30PM (#965661)

    If you don't want to use Let's Encrypt for your Internet-of-Crap systems, that's just fine, but I don't see why you should want to ruin its benefits for other kinds of uses like, y'know, the public websites just like the project was intended to address in the first place.

    Also, do you seriously think you're going to keep your IoT devices secure? I don't think so, not in the slightest, because too many things have to go perfectly for this stuff to not become a Giant Botnet of Doom. Any of the following happening at any time over the life of the device in question will cause far greater problems than a certificate expiration:
    1. FlyByNight Inc, manufacturer of the popular IoT device Thingamabob, goes out of business without a successor in interest.
    2. FlyByNight Inc's outsourced software provider BitsRUs LLC, goes out of business without a successor in interest, and takes their source code with them.
    3. FlyByNight Inc or BitsRUs LLC decide that Thingamabob 1 is too old to bother maintaining, because next quarter's figures depend not on keeping buyers of Thingamabob 1 happy but encouraging sales of Thingamabob 15. Anybody who calls customer service with complaints about their Thingamabob 1 is going to be instructed to buy Thingamabob 15 instead of giving them real instructions to fix the problem.
    4. FlyByNight Inc issues the patches, but notification of the patch was sent to non-techy grandma, who either didn't notice or didn't know what to do with it or didn't care enough to do anything about it.
    5. FlyByNight Inc issues the patches, and has a back door to install them as a way of protecting against non-techy grandma, except that the bad guys used that back door to get into the system and have now locked out FlyByNight Inc. It's possible to reset the system, but again this is in the form of a notification to non-techy grandma, who does nothing with it.
    6. Somebody working for FlyByNight or BitsRUs decides to act maliciously and crafts a patch that looks totally fine but definitely isn't, and in fact opens up a new back door on purpose.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 2) by Mojibake Tengu on Monday March 02 2020, @08:53PM

      by Mojibake Tengu (8598) on Monday March 02 2020, @08:53PM (#965672) Journal

      It's time to make https obsolete by, say, an UDP6 stateless protocol with a P2P encryption.

      A single packet is good enough to control or report anything.

      Guaranteed to induce anxiety and despair in many state agencies servicemen, too.

      The Street will take the Network back, one day.

      --
      Respect Authorities. Know your social status. Woke responsibly.