If they haven’t already done it, organizations are increasingly turning to encryption to protect sensitive data.
But they also need to think about securing their online communications as well by enabling Transport Layer Security (TLS) protocol in browsers to ensure people aren’t going to a fake Web site.
Unfortunately many small and medium sized businesses can’t be bothered, perhaps finding it expensive to buy and manage digital certificates from certificate authorities.
A group of vendors including network equipment maker Cisco Systems, content distributor Akamai, certificate issuer IdenTrust Inc., WordPress developer Automattic Inc. and Mozilla are backing an alternative that will automatically distribute free certificates starting this summer.
Called Let’s Encrypt, it’s a service provided by the San Francisco-based Internet Security Research Group (ISRG), an independent non-profit aimed at improving the security of Internet connections.
“In our opinion TLS needs to be default now,” Josh Aas, the ISRG’s executive director, said in an interview.
“There needs to be more adoption of TLS,” agreed Forrester Research security analyst John Kindervag.
James Arlen, a Hamilton, Ont.-based security consultant with Leviathan Security Group, said in an email that what he called the “wildly variant ‘proof’ requirements and pricing issues” of many certificate-issuing authorities combined with simple implementation errors has caused too many organizations to abandon TLS.
“My hope for Let’s Encrypt is very simple – that by making it (relatively) easy to acquire and correctly install/configure server side certificates, we will see a real increase in the use of TLS across the board – and especially in the SMB space.
“CISOs, especially those who have faced issues with management of certificates, SSL/TLS configuration, or obstinate IT Ops staff in the past, should find this a real relief, assuming that they are able to see it for what it is – pragmatic security that meaningfully increases security without attempting to attain perfection.”
To enable TLS, Let’s Encrypt users will only have to paste two lines of provided code into a Web server. The Let’s Encrypt management software will issue a digital certificate needed to turn on HTTPS and authenticate Web sites as the ones users intend to go to.
The software will automatically prove to the Let’s Encrypt certificate authority that the organization controls the website, keeps track of when a certificate is going to expire, and automatically renew it, and helps revoke the certificate if necessary.
However, Let’s Encrypt will only offer Domain Validation (DV) certificates, which typically just make the lock icon appear in browser URL bars. It won’t be issuing Extended Validation (EV) certificates, which makes the address bar turn green — a signal many Internet users look for. “We will not offer EV certificates because their issuance cannot be automated,” explained Aas. Some organizations may find it worth paying to get EV certificates.
Most enterprise-sized companies buy their certificates from one of a number of certificate authorities. One of the biggest is Symantec Corp., thanks to its 2010 purchase of VeriSign’s identity and authentication business for about US$1.28 billion.
But while some certificates can be priced as little as $5 a year, others — which include a range of added services — aren’t. For example, one year certificates from Symantec range from US$399 to $1,999 depending on features. An extended warranty is US$1,500 extra. Certificates from Entrust range from US$149 to $699 a year. (Multi-year discounts are available from both).
ISRG executive director Aas, who also works for Mozilla, noted in an interview an organization has to know which certificate to buy to meet its needs, fill out the request process, install the certificate, manage and renew it.
“These are pretty serious barriers to turning on TLS,” he said. “Even for experienced administrators this can be pretty difficult to do.”
On the other hand, the cost of certificates has been falling, noted Forrester’s Kindervag, which may have been behind the VeriSign sale. In fact, he said, digital certificates may be becoming a commodity.
Let’s Encrypt “fires a broadside at people like Symantec who are the big issuers of certificates,” Kindervag said.
In addition to encouraging organizations to adopt TLS, certificates could also theoretically be used to authenticate VPNs or wireless networks, he added.
On the other hand, he noted Let’s Encrypt’s service doesn’t solve the problem of stolen or forged certificates. There are “inherent problems” with any public key certificate system, Aas acknowleged, that can’t be resolved now. But he said security will be aided by transparency: Let’s Encrypt’s software is published on Github for all to see, and a list of every certificate issued will be published so organizations will know the service is legitimate. Any security “events” will also be published, he said.
He said Let’s Encrypt is scheduled to be generally available in the middle of this year, although there may be a limited release before that.