How to Use “Let’s Encrypt” to Protect Your IT Organization

Security TechTrends | zvelo Series by Eric Watkins, Senior Malicious Detection Researcher at zvelo

In today’s world of malware and ransomware created to steal credentials and lock end users out of their machines, it’s important that we safeguard our credentials and data-at-rest (stored on our machines) and in transit (passing over the network). One of the best ways to secure data-in-transit is by ensuring that the services we use are configured to enable the strongest encryption possible. Unfortunately, many IT organizations struggle to implement even basic encryption across the board on internal Intranet web servers because of the costs and complexity around setting up SSL certifications and/or implementing an internal Certificate Authority (CA).LetsEncrypt-small-rectangle

The Open Web Application Security Project (OWASP) has been created as an open standards body that is focused on improving the security of software.  Security around data-in-transit is so important that it has made the OWASP Top 10 list at #6. You can learn more about the rest of the OWASP Top 10.

A few years ago at a DEFCON conference, an organization called “Let’s Encrypt” lead a session on their new project. Although this group was not well-known at the time, their ambitious goals made me feel that I should hear what they had to say, even if it was just to save money. Their initiative was to hand out free SSL certificates that anyone could use to secure their website. Let’s Encrypt sought to eliminate the cost and technology barrier associated with the certificates and in turn, enable the entire web to use secure encryption.

To enable HTTPS with Let’s Encrypt as your Certificate Authority, you (or your webadmin) will need to work through the implementation guide. They have very good documentation that will walk a webadmin through every step in the process. One thing to remember is that the certificates they issue are valid for 90 days. After 90 days have elapsed, you must either schedule or script a re-issuance request in order to keep the license current. A paid SSL Certificate Authority may be a better choice for your project if you don’t want to have to deal with obtaining a new license every 90 days, however, some IT organizations are on very limited budgets and don’t mind scripting or scheduling this process.

Just this month, in July 2017, Let’s Encrypt reached a major accomplishment of reaching 100 million certificates issued. After this major milestone, the initiative announced their intentions to enable wildcard certificates. This feature will help reduce the burden of configuration on larger corporate enterprises and removes one last barrier to more secure web implementations. Let’s Encrypt will begin issuing these wildcard certificates in early 2018  – so try free basic certificates now, and be ready to go when the new service launches in January 2018.