From encrypting the web to encrypting the net: 2018 year in review

Thanks to Let’s Encrypt and Certbot, it’s easier than ever to turn on HTTPS for your website. In February, we were excited that Let’s Encrypt had issued 50 million active certificates. Today, this number has reached 87 million! Certbot operates at a similar scale, with millions of users using Certbot every month to obtain and renew their certificates. And it’s continuing to improve—at the beginning of the year, a new version of ACME (the protocol that drives Let’s Encrypt and Certbot) was released, allowing website owners to obtain wildcard certificates in an easy and automated way.

And it’s not just EFF. The entire ecosystem is working together to make web more secure. In July, Chrome began marking HTTP sites as “not secure,” leading to a noticeable increase in worldwide HTTPS adoption. Hosting providers like GitHub Pages have started providing Let’s Encrypt certificates too, making “turning on HTTPS” a one-click process for their customers.

And these examples are just a couple small drops in a giant wave of HTTPS. The ecosystem is on board and as excited as we are to make the insecure web a relic of the past.

Onwards, towards encrypting the net
Given the success in encrypting the web, EFF is broadening the scope of its mission to encrypting the entire Internet—starting with email. As of this year, Let’s Encrypt certificates are now trusted by all major root programs, meaning it’s trusted by major operating systems and devices, in addition to browsers. We can safely assume that every modern computing device has the means to authenticate a Let’s Encrypt certificate, so let’s get started!

This year, EFF rebooted STARTTLS Everywhere, an initiative to track the security of the email ecosystem. According to Google’s Transparency Report, approximately 90% of emails sent to or from Gmail are encrypted using STARTTLS. However, not only is STARTTLS vulnerable to a simple downgrade attack, but email has no widely-used TLS certificate authentication mechanism. This means it’s also vulnerable to on-path impersonation attacks. Similar to HTTPS Everywhere’s rulesets and the HSTS preload list on modern browsers, we’re maintaining and distributing a list of mailservers’ TLS information.

Certbot has also released some improvements that make it easier to use with mailserver software.

And just a couple months ago, the Internet Engineering Task Force (IETF) published two RFCs (Request for Comments, typically documents that describe new Internet standards), MTA-STS and TLSRPT, which have been in the works since 2014. MTA-STS provides a way for mailservers to discover other mailservers’ TLS information, and TLSRPT closes an error-reporting feedback loop that may help lower breakages from TLS misconfigurations, thus lowering the risk of deploying new security standards.

Improving TLS
In the realm of Encrypting the Net, 2018 has also seen several improvements to TLS itself. The specification for TLS 1.3 has landed, making TLS way faster by shortening the initial handshake drastically, and hardening its security by enabling forward secrecy by default.

To work properly, TLS relies on third parties called Certificate Authorities (CAs) like Let’s Encrypt to behave. Certificate Transparency, a technology to dramatically increase CA accountability and auditability, has gained a lot of traction in 2018. Starting in April, Chrome started requiring Certificate Transparency for all newly issued certificates. Let’s Encrypt also rolled out full support by embedding Certificate Transparency proofs in their issued certificates.

Finally, we saw a number of experiments and continuing work with DNS-over-HTTPS, DNS-over-TLS, and Encrypted SNI, which help protect Internet-browsing metadata from being exposed to network eavesdroppers.

We’ve come a long way, but still have a long way to go. Let’s resolve to close the gap and really get “HTTPS everywhere” next year. Here’s to hoping 2019 will be as fruitful for Internet security as the past couple of years have been for web security.

Sybdney Li and Alexis Hancock are Staff Technologists at the EFF. This article is published courtesy of the Electronic Frontier Foundation (EFF).