Microsoft has added direct trust for Let’s Encrypt certificates, meaning that all major browsers and operating systems, including Apple, Blackberry, Google, Microsoft, Mozilla and Oracle, now all directly trust the Let’s Encrypt root, ISRG Root X1.
Let’s Encrypt provides free digital certificates that websites can use in order to enable HTTPS to encrypt website traffic end-to-end. Microsoft’s vote of confidence is therefore good news for the certificate authority’s effort to create a web where 100 percent of pages are loaded by HTTPS – though it should be noted that this isn’t a fait accompli just yet.
While Let’s Encrypt certificates can now stand on their own for almost all newer versions of operating systems, browsers and devices, many older versions still don’t directly trust them.
“We’ll need to wait for the vast majority of those to cycle out of the web ecosystem. We expect this will take at least five more years, so we plan to use a cross signature until then,” explained Josh Aas, executive director at the Internet Security Research Group (ISRG), the non-profit behind Let’s Encrypt, in a blog yesterday.
Fortunately, certificates from Let’s Encrypt have previously been widely trusted thanks to the support of another certificate authority, called IdenTrust; the two have a partnership that will remain in place to accommodate legacy versions.
“Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly,” Aas explained.
This is the latest in a series of significant strides the CA has made towards a more secure web since its inception. When Let’s Encrypt first entered public beta in December 2015, less than 40 percent of page loads used HTTPS. Since then, two and a half years later, Let’s Encrypt is providing certificates for more than 115 million websites, and HTTPS percentages are above 70 percent across major browsers. The most popular browser, Google Chrome, boasts 85 percent of traffic loaded with HTTPS. It recently started labeling all HTTP sites as “not secure,” which should give some momentum to Let’s Encrypt going forward.
The stakes remain high, as Aas recently told Threatpost: “When someone visits a website that does not use HTTPS, the entire interaction is broadcast in the clear for anyone on the network path to see. Furthermore, the interaction can be tampered with to include anything from ads to malware.”
Subscribers of Let’s Encrypt don’t need to take action regarding the new milestone, other than ensuring that their ACME clients (such as Certbot or an alternative) are regularly receiving software updates.