Encryption in the internet community, particularly the e-commerce sector, is being adopted widely and many vendors have come forward to offer free digital certificates to cater to the eager clients. In January this year, Amazon announced giving away free SSL/TLS certificates to websites that use cloud-based Amazon Web Services (AWS) platform.
Let’s Encrypt, an open source Certificate Authority (CA) run by the Electronic Frontier Foundation, issued its first HTTPS certificate in September 2015. As of March, Let’s Encrypt boasts of issuing over a million free certificates to more than 2.4 million domains.
At a time when businesses are scrambling for resources to get proper encryption for their domains, free certificates from AWS and Let’s Encrypt have come as a great windfall. And this trend is going to grow big – other major internet giants are soon going to dole out free digital certificates to woo business clients. But, are free digital certificates on par with the paid ones? In this article, we will discuss the shortcomings of free digital certificates and what lies ahead for the future of encryption.
Free Doesn’t Equal Safe
Amazon has a business agenda behind handing out freebies; by offering the convenience of an added security layer for its clients, AWS Certificate Manager (ACM) is helping e-tailers overcome encryption hassles and be more involved in their business. But unlike CAs whose prime concern is to ensure security, Amazon has put little thought about keeping its private keys safe.
At present, ACM stores the corresponding private keys in the cloud, which remains highly vulnerable from hacking. Worse, third-party actors who can penetrate the ACM cloud environment can issue their own certificates and keys.
In the case of Let’s Encrypt, the risk is different but nonetheless dangerous. Anyone familiar with the SSL industry is aware of the notorious Heartbleed Vulnerability that terrorized the internet community by inflicting damage to OpenSSL, the biggest open-source library for Secure Socket Layer and TLS protocols. Being an open-source platform, Let’s Encrypt bears similar risks from online attacks. Especially so, because it’s promising to encrypt the internet for free – which is a vexing matter of concern to groups that want to pry on personal and confidential data.
Lack of SSL Inspection
In any network, the flux of encrypted communications come from either external, cloud-based applications or originate internally. If malicious files are masquerading as encrypted data, the network admins will have no clue or control to contain it. SSL inspection tools are the only way out because they help you inspect, analyze, and optimize secure data packet including the traffic coming from elsewhere that’s outside your control.
The problem with CAs giving freebie SSL certs is that they don’t offer SSL inspection services. Commercial CAs offer SSL inspection and detection services bundled with their digital certificates or as a paid service. Unless new CAs like Let’s Encrypt and ACM come up with ways to safeguard all aspects pertinent to their SSL certs, their products are going to be highly vulnerable to online threats.
More Free Certs, Less Security
In today’s day and age, state-sponsored cybercrime is the biggest threat to online security because of its nefarious data theft campaigns and unlimited resources. Data encryption is their arch-enemy and they – including other players lurking in the internet’s netherworld – will go at any length to foil the encryption chain. The fad of issuing free SSLs will only pave way for more vendors to issue their own digital certificates, with most of them putting in tepid efforts to meet the requirements. Hacker groups are naturally inclined to attack these domains because free certs have more security blind spots than the ones made with long-term commercial and security implications in mind.
Moreover, infosec experts believe that it is difficult to recover from the damages of data loss if, for example, Amazon’s CA is compromised, because ACM doesn’t support the transition of domains to a secondary CA, despite it being a requirement outlined specifically by U.S. National Institute of Standards and Technology (NIST) to ensure the best practice in an event of CA compromise and fraudulent certificate issuance scenarios. At present, the ACM doesn’t revoke compromised PKIs and certs, instead, it asks the domain owners to create a ticket for future resolution.
The Way Ahead
Contrary to what we discussed above, not all free SSL are alike. SSL certificates offered by long-standing CAs, such as Comodo, come for a “freemium,” meaning that you can get free SSL certificates for a limited time and upgrade to the paid version after the trial period is over. The benefit is tht these certificates offer the strongest possible encryption and recovery alternatives, unlike ACM and Let’s Encrypt.
The fact that companies are taking ambitious measures to encrypt the whole internet is a noble cause in itself, but unless they address the challenges discussed above, encryption security is only going to be tangled furthermore. For now, we recommend that vendors who need SSL encryption do so from reputed CAs that they trust, instead of falling for the free gimmicks that do it only for the namesake.