Image for post
Image for post

Why Let’s Encrypt is a really, really, really bad idea…

Did I mention it is a really bad idea???

UPDATE: When you’re done reading this, make sure to read my answer to my many critics. This also provoked a well-written response. In turn, I explain the value of an Extended Value SSL/TLS certificate.

Your web site’s ability to rank in Google search results is now a function of whether you use Secure Sockets Layer (SSL). Or to put it another way, whether you have it addressed at an URL starting with “https”.

In an effort to promote the use of SSL across the web, industry participants have formed Let’s Encrypt, a service provided by the Internet Security Research Group. The service has taken off, with major hosting providers creating tools to automatically create SSL certificates and install them on hosted sites. Sounds like an advance in cyber security, right?

Uh…, maybe not?

Cipher Strength, Key Management, and the “Threat Surface”

There are numerous Certificate Authorities (CAs) which sell SSL certificates. Each has its own externally audited “Key Management System” (KMS). These CAs submit their audits to the major Operating System vendors like Microsoft, Apple, and Google in order to get their “root certificates” in the OS’s “trusted certificates” store. This is what makes their website SSL certificates work when someone with, say, a Mac navigates to your site.

From a security standpoint, the market fragmentation of CAs is a feature, not a bug.

Medium.com’s SSL certificate was issued by DigiCert (and will expire in August — heads up Medium!). If DigiCert’s Key Management System is compromised, all of their SSL certificates will have to be revoked and re-issued. But if one of the other CAs is compromised, it would not affect Medium’s site.

Let’s Encrypt is an example where the “convenience” of automated issuance of “free” SSL certificates is a bug, not a feature.

The more sites secured by Let’s Encrypt certificates, the bigger the threat surface becomes because the compromise of Let’s Encrypt’s KMS could potentially affect a large number of sites. Let’s Encrypt is being chosen right now because it is a “fire and forget” solution for encrypting site traffic. If a site certificate is revoked, and no one is paying attention to this possibility, traffic will drop precipitously and you as a business person may well be no the wiser for why your lead generation dried up. (Certificate expiration, with no one paying attention, is why no one at Equifax knew they had been hacked for months.)

“Fire and forget” might not be a particularly good idea in cyber security. Just sayin’…

Think Like an Adversary

How would you get there? The easiest and most likely way has little at all to do with technology. You just manage to plant an insider into the CA’s division that administers its Key Management System.

No Skin in the Game

Who loses what if a CA’s KMS is compromised?

Prior to Let’s Encrypt the answer would be the CA’s ownership loses reputation and business. If the CA was run by a publicly held company, investors lose value in their portfolio and the company would likely be exposed to shareholder lawsuits. Management would likely be fired.

Let’s ask the same question of Let’s Encrypt: Who loses what?

There are no “owners;” this is a not-for-profit organization. There is no revenue; the SSL certs are free.

Nobody loses anything; there is no “skin in the game.”

Three Takeaways

First: Avoid the temptation of “free” and “convenient.” Major SSL Certificate Authorities have tools you can use, or have your computer support person use, to issue your site’s SSL certificate. They also offer installation support, as do major hosting companies. There’s a process to verify you own the domain, but it not unreasonably cumbersome. Pay attention especially to the breach insurance they offer as part of their product.

Second: If your site is hosted by a hosting company, pay careful attention to the hosting agreement when it comes to who is responsible for what in terms of securing your site. You will likely need to use their tools to create the “certificate signing request” (CSR). Your CA will require the CSR to generate the certificate.

Third: If you contract out the site development and maintenance, ask the provider if they carry cyber insurance. (This is probably the biggest reason to avoid off-shoring this kind of work.) Require them to provide you proof of coverage in case their “errors and omissions” causes your site to be breached.

The Startup

Medium's largest active publication, followed by +707K people. Follow to join our community.

John Horst, CISSP® — ISSAP®

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech. https://goo.gl/2z5Snr

The Startup

Medium's largest active publication, followed by +707K people. Follow to join our community.

John Horst, CISSP® — ISSAP®

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech. https://goo.gl/2z5Snr

The Startup

Medium's largest active publication, followed by +707K people. Follow to join our community.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store