The perils of free digital certificates

Open source certificate authority Let's Encrypt wants to give domain owners free and validated certificates, but the offer comes with a price

The perils of free digital certificates

Let’s Encrypt, the open source digital certificate authority backed by industry stalwarts Mozilla, Cisco, and Akamai, announced the release of its first certificate two days ago. Intended to ease the transition to TLS (Transport Layer Security) protocol, the more secure successor to SSL, Let's Encrypt offers tools to automate how certificates are issued, configured, and renewed.

Accelerating TLS adoption by streamlining the certificate supply chain is a worthy goal, but it may have unintended consequences, including new potential vulnerabilities and an increase in certificate management hassles.

More certificates in circulation means cyber criminals will issue more counterfeit versions, making it difficult to know which ones to trust. This is already the case with criminals abusing the free certificates issued by CloudFlare. Gartner analysts estimate half of all network attacks will use SSL/TLS by 2017.

It doesn’t help that many of the existing threat protection systems are not capable of inspecting encrypted traffic. Enterprises will have more blind spots, trying to figure out where the attackers are hiding inside the encrypted data stream.

“Using certificates to appear trusted and hide inside of encrypted traffic is fast becoming the default for cyber attackers -- which almost counteracts the whole purpose of adding more encryption and trying to create a more trustworthy Internet with more free certificates,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, an enterprise certificate reputation provider.

Free and self-signed certificates are also problematic because anyone with a domain can get them. ISRG has said in the past that people won’t even need to create an account to get a certificate.

Enterprises should not replace existing, paid certificates with free ones -- the free certificates do not validate the identity and business location of the certificate holder, warned Craig Spiezle, executive director and president of the Online Trust Alliance. “From a fraud and brand protection perspective, organizations in both the public and private sector should be deploying OV or EV SSL certificates,” Spiezle said.

The availability of free certificates will also exacerbate the challenges organizations face managing existing certificates. Large organizations, especially the Global 5000, already have to manage thousands of certificates from as many as a dozen different certificate authorities. If a new application or hardware uses free certificates, then the enterprise has a new certificate authority on its network. Even if the certificates are taken care of automatically, IT teams still need to manage this list and track who is issuing which certificate and who is in control, Bocek said.

Despite such potential difficulties, the move toward getting more sites to adopt TLS is a positive one. Let’s Encrypt plans to make certificates generally available the week of Nov. 16. The project plans to issue more and more certificates, beginning with a small number of whitelisted domains. Domain owners can sign up as beta testers and get their domains added to the whitelist from the Let's Encrypt site.

The current certificate is not cross-signed, so loading the page over HTTPS will give visitors an untrusted warning. The warning goes away once the ISRG root is added to the trust store. ISRG expects the certificate to be cross-signed by IdenTrusts’s root in about a month, at which point the certificates will work nearly anywhere. The project also submitted initial applications to the root programs for Mozilla, Google, Microsoft, and Apple so that Firefox, Chrome, Edge, and Safari would recognize Let's Encrypt certificates.

Copyright © 2015 IDG Communications, Inc.