Why Let’s Encrypt is a really, really, really bad idea…
Did I mention it is a really bad idea???
UPDATE: When you’re done reading this, make sure to read my answer to my many critics. This also provoked a well-written response. In turn, I explain the value of an Extended Value SSL/TLS certificate.
Your web site’s ability to rank in Google search results is now a function of whether you use Secure Sockets Layer (SSL). Or to put it another way, whether you have it addressed at an URL starting with “https”.
In an effort to promote the use of SSL across the web, industry participants have formed Let’s Encrypt, a service provided by the Internet Security Research Group. The service has taken off, with major hosting providers creating tools to automatically create SSL certificates and install them on hosted sites. Sounds like an advance in cyber security, right?
Uh…, maybe not?
Cipher Strength, Key Management, and the “Threat Surface”
The heart of encryption is the encrypting key. Imagine for a moment you have a real-world lock big and strong enough to withstand a 50 caliber rifle shot. What good is that if the bad guy ends up with the key? The digital analogy is the cipher strength of the certificate used to encrypt your website’s traffic. To apply the 50 caliber rifle shot analogy, if the bad guy gets a hold of the “private key” used to generate the SSL certificate, the size of the cipher is rendered entirely irrelevant.
There are numerous Certificate Authorities (CAs) which sell SSL certificates. Each has its own externally audited “Key Management System” (KMS). These CAs submit their audits to the major Operating System vendors like Microsoft, Apple, and Google in order to get their “root certificates” in the OS’s “trusted certificates” store. This is what makes their website SSL certificates work when someone with, say, a Mac navigates to your site.
From a security standpoint, the market fragmentation of CAs is a feature, not a bug.
Medium.com’s SSL certificate was issued by DigiCert (and will expire in August — heads up Medium!). If DigiCert’s Key Management System is compromised, all of their SSL certificates will have to be revoked and re-issued. But if one of the other CAs is compromised, it would not affect Medium’s site.
Let’s Encrypt is an example where the “convenience” of automated issuance of “free” SSL certificates is a bug, not a feature.
The more sites secured by Let’s Encrypt certificates, the bigger the threat surface becomes because the compromise of Let’s Encrypt’s KMS could potentially affect a large number of sites. Let’s Encrypt is being chosen right now because it is a “fire and forget” solution for encrypting site traffic. If a site certificate is revoked, and no one is paying attention to this possibility, traffic will drop precipitously and you as a business person may well be no the wiser for why your lead generation dried up. (Certificate expiration, with no one paying attention, is why no one at Equifax knew they had been hacked for months.)
“Fire and forget” might not be a particularly good idea in cyber security. Just sayin’…
Think Like an Adversary
To understand why this matters, imagine you could position yourself in the middle between a company’s website and their customers or visitors. You can suck up all of that traffic — and if you have the private keys from a CA like Let’s Encrypt you can decrypt the traffic from sites using their certificates. But that’s not the worst of it: Your place as a “man in the middle” cannot be detected by traditional scanning. You’re not necessarily in the network hosting the site and you’re not in the customer/visitor’s computer. But you are in the middle — undetectable and with the keys to the kingdom.
How would you get there? The easiest and most likely way has little at all to do with technology. You just manage to plant an insider into the CA’s division that administers its Key Management System.
No Skin in the Game
The insider threat applies to all Certificate Authorities — but not equally, from a cyber security point of view. Let’s ask this general question:
Who loses what if a CA’s KMS is compromised?
Prior to Let’s Encrypt the answer would be the CA’s ownership loses reputation and business. If the CA was run by a publicly held company, investors lose value in their portfolio and the company would likely be exposed to shareholder lawsuits. Management would likely be fired.
Let’s ask the same question of Let’s Encrypt: Who loses what?
There are no “owners;” this is a not-for-profit organization. There is no revenue; the SSL certs are free.
Nobody loses anything; there is no “skin in the game.”
As more business is done on the web, business people would like there to be a “fire and forget” solution for protecting the confidentiality of their customers’ data. The hard truth is no such solution exists. So what are startups and other small businesses to do?
First: Avoid the temptation of “free” and “convenient.” Major SSL Certificate Authorities have tools you can use, or have your computer support person use, to issue your site’s SSL certificate. They also offer installation support, as do major hosting companies. There’s a process to verify you own the domain, but it not unreasonably cumbersome. Pay attention especially to the breach insurance they offer as part of their product.
Second: If your site is hosted by a hosting company, pay careful attention to the hosting agreement when it comes to who is responsible for what in terms of securing your site. You will likely need to use their tools to create the “certificate signing request” (CSR). Your CA will require the CSR to generate the certificate.
Third: If you contract out the site development and maintenance, ask the provider if they carry cyber insurance. (This is probably the biggest reason to avoid off-shoring this kind of work.) Require them to provide you proof of coverage in case their “errors and omissions” causes your site to be breached.