Let’s Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it’s issued a billion certificates since its launch in 2015.
HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation.
“Since 2017, browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” the company said. “When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
Launched with the goal of speeding up the web’s encryption rate and bringing down the costs of enabling HTTPS, Let’s Encrypt’s ACME (Automatic Certificate Management Environment) protocol offers an easy means to set up and issue SSL certificates that can be renewed and replaced without manual intervention from webmasters.
Electronic Frontier Foundation’s Certbot is one such popular open-source, free-to-use ACME client that enables HTTPS on websites by automatically deploying Let’s Encrypt certificates — which are valid only for 90 days — and managing renewals.
But with bad actors abusing Let’s Encrypt HTTPS certificates to mask malicious traffic and direct unsuspecting users to malicious sites, the company has taken steps to “ensure that a certificate applicant actually controls the domain they want a certificate for.”
images from Hacker News