Apple's move to encrypt your iPhone and WhatsApp's rollout of end-to-end encrypted messaging have generated plenty of privacy applause and law enforcement controversy. But more quietly, a small non-profit project has enacted a plan to encrypt the entire global web. Earlier this week, the San Francisco-based Internet Security Research Group (ISRG) announced that the initiative it calls Let's Encrypt is coming out of beta--and that it's making serious headway toward helping tens of millions of unencrypted sites around the world switch from the insecure web standard HTTP to HTTPS, which encrypts your web browsing to protect it from surveillance. Without that layer of encryption, a regular HTTP connection can be intercepted and read by anyone between a web visitor's browser and the site he or she is visiting--whether a hacker on the same Wi-Fi network, an internet service provider, or a government agency. Since launching less than six months ago, Let's Encrypt has helped 3.8 million websites switch to HTTPS encryption, taking a significant chunk out of the unprotected web data that's available to those eavesdroppers.
The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates. As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name. The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name. Let's Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing that domain before issuing the certificate.
A project dear to its heart, Let's Encrypt has now made wildcard certificate support live in the next step to encrypt the Web. The certificate authority, which offers free SSL and TLS certificates to webmasters, said this week that support is now live for wildcard certificates, alongside ACMEv2. First announced back in 2017, Let's Encrypt "wildcard" certificates are free certificates for HTTPS deployment. The wildcards act in the same way as traditional TLS certificates but can be used to secure a domain and unlimited sub-domains on a single certificate, making deployment quicker. Another important aspect is that these certificates are free, which means that any webmaster can use them to enable encryption without opting for pricey alternatives.
Millions of secure websites won't load on smartphones that run Android 7.1 or older after September 2021, it has been revealed. US-based certificate authority Let's Encrypt said a change in its criteria from next September will mean old Android operating systems won't trust its root certificates. Root certificates are issued by a certified authorities like Let's Encrypt to verify that the software or website owner is who they say they are. Currently, around 66 per cent of Android devices are running version 7.1.1 The remainder that run Android 7.1 and older will start getting certificate error messages when they visit sites that have a Let's Encrypt certificate on the default Android browser – Google Chrome.