Submitted via IRC for SoyCow1984
Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems.
https://www.securityweek.com/lets-encrypt-now-trusted-all-major-root-programs:
[...] At the end of July 2018, Let's Encrypt received direct trust from Microsoft products, which resulted in it being trusted by all major root programs. The CA's certificates are cross-signed by IdenTrust, and have been widely trusted since the beginning.
"Browsers and operating systems have not, by default, directly trusted Let's Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one," noted Josh Aas, Executive Director of ISRG.
[...] While some of these [older operating systems, browsers, and devices] are expected to be updated to trust the CA, others won't, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let's Encrypt will continue to use a cross signature [from IdenTrust].
Related Stories
Submitted via IRC for Fnord666
The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate.
Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. That also makes it the largest certificate issuer in the world, by far.
Now, 75 percent of all Firefox traffic is HTTPS, according to public Firefox data — in part thanks to Let's Encrypt. That's a massive increase from when it was founded, where only 38 percent of website page loads were served over an HTTPS encrypted connection.
"Change at that speed and scale is incredible," a spokesperson told TechCrunch. "Let's Encrypt isn't solely responsible for this change, but we certainly catalyzed it."
Source: https://techcrunch.com/2018/09/14/three-years-later-lets-encrypt-now-secures-75-of-the-web/
Previously: "Let's Encrypt" Has Issued 1 Million Certificates
Let's Encrypt Issues 100 Millionth Certificate
Let's Encrypt is Now Officially Trusted by All Major Root Programs
Professor J. Alex Halderman, the noted election security researcher, along with his co-authors, have published a summary of Let's Encrypt, its components, and what it does. (Warning for PDF.) The service Let's Encrypt is a free, automated, open certificate authority (CA) to provide TLS certificates. These are usually for web sites, enabling them to provide HTTPS connections.
Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA–server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.
[...] Prior to our work, a major barrier to wider HTTPS adoption was that deploying it was complicated, expensive, and error-prone for server operators. Let's Encrypt overcomes these through a strategy of automation: identity validation, certificate issuance, and server configuration are fully robotic, which also results in low marginal costs and enables the CA to provide certificates at no charge. We designed Let's Encrypt to scale to the size of the entire Web. In just over three years of operation, it is well on its way: it has issued over 538 million certificates and accounts for more valid browser-trusted certificates than all other CAs combined. We hope that in the near future, clients will start using HTTPS as the default Web transport. Eventually, we may marvel that there was ever a time when Web traffic traveled over the Internet as plaintext.
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Pages 2473-2487 (DOI: 10.1145/3319535.3363192
Earlier on SN:
Let's Encrypt to Transition to ISRG Root (2019)
Three Years Later, Let's Encrypt Has Issued Over 380 Million HTTPS Certificates (2018)
Let's Encrypt is Now Officially Trusted by All Major Root Programs (2018)
Let's Encrypt Takes Free "Wildcard" Certificates Live (2018)
Free Certs Come With a Cost (2017)
Let's Encrypt Issues 100 Millionth Certificate (2017)
Let's Encrypt Won its Comodo Trademark Battle - but Now Fan Tools Must Rename (2016)
Let's Encrypt Gets Automation (2015)
Let's Encrypt, the non-profit certificate authority which provides X.509 certificates for Transport Layer Security encryption at no charge, has an update on the progress towards universal acknowledgement of its root certificate in software and firmware. The cross signature which it has purchased will expire next September, so there is a hard deadline for finalization. There are only a few barriers remaining, one of which is the old versions of Android still in use.
Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
What can we do about this? Well, while we'd love to improve the Android update situation, there's not much we can do there. We also can't afford to buy the world a new phone. Can we get another cross-signature? We've explored this option and it seems unlikely. It's a big risk for a CA to cross-sign another CA's certificate, since they become responsible for everything that CA does. That also means the recipient of the cross-signature has to follow all the procedures laid out by the cross-signing CA. It's important for us to be able to stand on our own. Also, the Android update problem doesn't seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.
It's quite a bind. We're committed to everybody on the planet having secure and privacy-respecting communications. And we know that the people most affected by the Android update problem are those we most want to help - people who may not be able to buy a new phone every four years. Unfortunately, we don't expect the Android usage numbers to change much prior to ISRG Root X1's expiration. By raising awareness of this change now, we hope to help our community to find the best path forward.
The Internet Archive has retained a copy of the original announcement for Let's Encrypt.
Previously:
(2020) Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
(2020) HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
(2019) Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
(2019) Let's Encrypt to Transition to ISRG Root
(2018) Let's Encrypt is Now Officially Trusted by All Major Root Programs
(Score: 1, Funny) by Anonymous Coward on Wednesday August 08 2018, @04:05PM
Thank god they came around. Really the last piece of the puzzle to legitimize LE. Where Blackberry goes the world follows.
(Score: 2) by Runaway1956 on Wednesday August 08 2018, @04:41PM (1 child)
I read that as "LE officially trusted by all rootkit programs". Just a minor short circuit between the eyes and the brain, I guess. So then - do all the blackhats trust LE?
(Score: 2) by Walzmyn on Wednesday August 08 2018, @04:50PM
i read the same
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 08 2018, @06:44PM (4 children)
That should be the question on the front page of LE. I've been telling it to them for awhile but I get no answer and see zero progress on that front.
Joe Bloggs wont give a shit about the technical details of something he has no apparent use for. You first HAVE TO sell the why before the how...
Please somebody hit LE with a large enough clue bat!
(Score: 2) by takyon on Wednesday August 08 2018, @06:58PM (2 children)
Shouldn't certificates/encryption be automatically handled (and enabled by default) by Joe Bloggs' blog software? Especially given that Google is penalizing non-HTTPS sites in its search engine or refusing to connect to them at all in its browser?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by edIII on Wednesday August 08 2018, @09:46PM
^this^
It has become trivially easy with CPanel, Webmin, etc. to install SSL certificates from LE. Although I wouldn't touch Wordpress with a 10-ft pole, I'm sure there is a plugin on two to handle LE for it as well. Almost every major hosting package out there probably supports it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday August 08 2018, @11:57PM
Brian Lunduke has the same take - why encrypt if you don't have to:
https://www.youtube.com/watch?v=ZmlQoeEycPc [youtube.com] and
https://www.youtube.com/watch?v=wNPvIk3jQ-M [youtube.com]
It just adds complexity and is an overhead.
Has anyone got a step-by-step guide on obtaining a cert and setting it up on your website - for cPanel as well as fully manual - believe it or not not everyone has cPanel granted to them.
(Score: 2) by requerdanos on Wednesday August 08 2018, @07:46PM
I agree that educating people on the reasons for encrypting web traffic would lead to an increase in encrypted web traffic.
For websites that I work with, it has resulted in a few cancellations of terrific shared web hosting (that doesn't support LE) to move sites to a VPS (that does), and consideration of https: at the beginning of the site-building process and not nearer the end.
Permit me a brief story (or please tune out now, which would not offend me): I tried to sell advertising on a local/regional resources website several years ago and the owner of an accounting firm said "No thanks, my sign is too big as it is."
He had all the business that he could handle, and while it's better if people have professional accounting if the alternative is messing up their taxes or their books, he didn't want to say it too loudly.
All that to say this: Perhaps LE is happy with the current rate of adoption.
(Score: 2) by requerdanos on Wednesday August 08 2018, @07:51PM
Obviously this is because Soylentnews.org switched to Let's Encrypt recently and LE decided they should step up their game accordingly.