Ils sont au nombre de 1 million déjà distribués !
Un million de certificats SSL gratuits déjà distribués par Let’s Encrypt.
Quelques mois après le lancement effectif de ce projet qui a démarré à la mi-Septembre 2015, Let’s Encrypt vient de franchir la barre symbolique du million de certificats SSL pour un hébergement en mode HTTPS distribués gratuitement à travers le monde.
La multiplication des émissions de certificats gratuits affaiblit la sécurité d’Internet. L’intensification des compromissions de clés et de certificats va inciter les individus malveillants à se faufiler dans les angles morts créés par des flux soigneusement chiffrés. Objectif de ces individus : masquer leurs attaques.
Kevin Bocek – VP Threat Intelligence and Security Strategy Venafi – déclare : « Kudos to the Let’s Encrypt initiative for already issuing a million free certificates. This is a great thing—more SSL/TLS protects data and privacy. But more certificates, and especially those that are not continuously monitored and secured from misuse will certainly create more criminal interest and activity.
The use of digital certificates to appear trusted and hide inside in encrypted traffic is fast becoming the default for cyber attackers — which almost counteracts the whole purpose of adding more encryption and trying to create a more trustworthy Internet with free certificates. In fact, we’ve already seen free certificates misused by bad guys, including a recent malvertising campaign that used certificates issued from Let’s Encrypt. Cyber criminals will increasingly misuse keys and abuse certificate trust to bypass security controls.
It’s becoming more difficult to know what to trust, and the increased use of encryption is creating more blind spots for threat protection systems. The risks are very real when certificates are misused, including allowing bad guys to hide in encrypted traffic to transmit malware or steal data, eavesdrop on “secure” communications using a man-in-the-middle (MitM) attacks, spoof websites for phishing attacks, and distribute malware that is signed using a seemingly legitimate certificate.
The value of a certificate will not be in its issuance cost, but will be based on the value and reputation of the issuing CA and in the certificate’s purpose. To maintain that value, organizations must ensure the integrity and security of its certificates. ».