Certificate authority Let’s Encrypt is celebrating a major milestone in the young nonprofit’s existence issuing its 5 millionth certificate this month. Let’s Encrypt launched to the general public just seven months ago.
“Our goal is to get the entire web 100 percent HTTPS,” said Josh Aas, executive director for the Internet Security Research Group, the nonprofit that helped launch Let’s Encrypt. “By adding 5 million certificates, representing 7 million unique domains, we are now within reach of encrypting 50 percent of all internet traffic,” Aas said in an interview with Threatpost.
In December 2015, according to data culled from Firefox telemetry, roughly 39.5 percent of Firefox browser page loads were protected by HTTPS connections. Today the number is 45 percent.
“We thought 5 million certificates was a hard goal to reach, but with the success we are seeing the 50 percent milestone looks like a possibility this year,” Aas said.
HTTPS is key to securing communications between a client and server and thwarting attacks such as last year’s so-called Great Cannon attack. HTTPS is a combination of the HyperText Transfer Protocol (HTTPS) and the Secure Socket Layer (SSL) protocol. Together, HTTPS, encrypts communication sessions between a computer’s a web browser and a web server. The absence of HTTPS leaves that connection between browser and web server vulnerable to sniffing attacks with tools such as Firesheep that can intercept unencrypted data.
Aas said some major players on the web,such as online retailers and online advertisers, are still reluctant to adopt more secure internet communications. Aas explains the transition can be complicated because some companies own hundreds of domains.
In other cases some websites that aggregate content from multiple sites will run into browser limitations that prevent HTTP content from rendering correctly alongside HTTPS content in one browser window. For example, any online advertisers whose ads do not use HTTPS, will have problems rendering its ads on HTTPS sites.
“As a community, increased awareness about HTTPS is impressive,” Aas said. By lowering the cost to zero and making it easy for companies to migrate to a more secure web, the next 5 million sites to adopt HTTPS will be even easier to attain, he said.
Let’s Encrypt efforts compliment additional efforts within the industry. In May, Google flipped the switch on default HTTPS support for its free domain service provider Blogspot, upping the security ante for the millions of users of the popular platform. The move is part of Google’s larger HTTPS everywhere initiative, announced at Google I/O in 2014.
In June 2015, WordPress announced it would be serving all *.wordpress.com subdomains only over HTTPS by the end of 2015. Companies such as Facebook have supported HTTPS support since 2011.