Let’s Encrypt has become a well-known service for helping websites enable SSL (or HTTPS) encryption. We can’t brush over the good that Let’s Encrypt has done for the internet as a whole, but it’s not the perfect solution.
Let’s Encrypt Doesn’t Have “Skin In The Game”
Let’s Encrypt is a certificate authority, meaning it issues certificates that contain identity credentials to help websites, people, and devices represent their authentic online identity. Most certificate authorities are businesses that charge a fee in exchange for a certificate that verifies your identity. Let’s Encrypt, on the other hand, is a non-profit organization offering free SSL certificates. The company isn’t driven by revenue.
If there is an issue with Let’s Encrypt’s encryption keys, or entire system, it doesn’t have to worry about losing out on revenue due to a poor reputation or lost customers. While Let’s Encrypt has a positive mission (to make the internet a better, safer, more secure place), but having more to lose from potential security breaches would motivate the organization to implement higher level security.
People Want to “Set It and Forget It”, But That’s Not Always Possible
For most people or for most websites, security is a bit of an afterthought. As a result, people are looking for a quick solution that they can setup one time and then forget about it. This simply doesn’t work, because when it comes to cybersecurity, the threats we face are constantly changing. Hackers are always switching up their methods to avoid detection, and to adapt to changing security measures.
From a security standpoint, convenient tools are worse (in some ways) than tools that are more difficult to implement. Hackers have the most to gain from cracking systems that are widely used. According to Let’s Encrypt’s Stats page, it issues over 1 million certificates per day. Let’s Encrypt has a massive user base of people who have very basic understandings of how SSL works and how it protects your information.
Let’s Encrypt Certificates Issues Per Day
Free and Convenient Doesn’t Mean Effective
One of the main reasons people choose to use Let’s Encrypt is that it’s a free alternative to paid services and it sells itself as being very easy to implement. The purpose of an SSL certificate is to protect visitors to a website from someone monitoring a network and accessing information like login information and financial information that users enter into a web page. The most important aspect of these certificates is the level of security that they offer and the strength of the encryption keys they use.
The convenience of an automated solution like Let’s Encrypt leads people to feel like once the tool has been implemented, they’ve solved their security issue. Since it is automated, people feel like any issues will be taken care of by Let’s Encrypt and is out of their control.
Hackers Have The Most to Gain from Cracking Let’s Encrypt’s Key Management System
Hacking systems with the most users has the biggest payoffs for the people trying to crack them. These hackers are looking to get into data systems to steal information, to disrupt services, or to make a point. The biggest impacts come from accessing large systems with large amounts of sensitive data. Because Let’s Encrypt is free and “easy to implement” it has developed a large user base across many popular websites.
What Would Happen If Someone Cracked Let’s Encrypt’s Key Management System?
If a hacker or group of hackers was able to solve Let’s Encrypt’s Key Management System, it would make the SSL encryption the sites are using ineffective. Anyone with the information to crack the encryption key could monitor any traffic flowing to and from the website including any sensitive information that users may enter onto the page. And if someone is able to crack that encryption, it could potentially go unnoticed because the encryption itself isn’t broken. The only way to identify the breach would be when the data itself surfaces somewhere on the internet.
The Positives of Let’s Encrypt
Let’s Encrypt is making the process of obtaining an SSL certificate much easier, so websites that would otherwise never be secured are now able to do so. Small businesses and newer websites may not have resources to devote to security certificates, but now they can protect their users’ private information and establish trust with their users.
Let’s Encrypt is Controlled By a Non-Profit
Let’s Encrypt is provided by the Internet Security Research Group, which is a non-profit organization. While Let’s Encrypt doesn’t have profit as the driving force behind its security efforts, there are still positives to not having to focus solely on making money. Let’s Encrypt is funded by a number of well-known sponsors including Mozilla, Cisco, Google Chrome, Facebook and Electronic Frontier Foundation. These sponsors have donated large sums of money to Let’s Encrypt because they believe in the vision and mission. If Let’s Encrypt were to fail to deliver on its promises, it could lose out on the funding it receives from these companies.
Another benefit of being a non-profit is that Let’s Encrypt is less likely to engage in shady business practices or cut corners in the interest of maximizing profits. Being a non-profit has its benefits, but it shouldn’t be blindly accepted as better than the alternative.