No domain left behind is Lets Encrypt democratizing encryption? M. - - PowerPoint PPT Presentation

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

No domain left behind

is Let’s Encrypt democratizing encryption?

• M. Aertsen1, M. Korzyński2, G. Moura3

1National Cyber Security Centre

The Netherlands

2Delft University of Technology

The Netherlands

3SIDN Labs

The Netherlands

ICANN58, Tech day

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

More than half of web traffjc nowadays is encrypted

Yet that leaves out a lot of people without HTTPS

Firefox telemetry1 Chrome telemetry2

1https://telemetry.mozilla.org/, plot based on Let’s Encrypt stats page 2https://www.google.com/transparencyreport/https/metrics/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Certifjcates are required for encryption on the web

Obtaining and deploying certifjcates is not free

▶ Cost: purchase, deployment and renewal ▶ Complexity: request, deployment (at scale)

Let’s Encrypt3 aims to make encrypted traffjc ubiquitous

▶ Reducing certifjcate cost of purchase, renewal to zero ▶ Automation of request, issuance and deployment

(ACME: protocol4 and clients, e.g. Certbot5)

3https://letsencrypt.org 4https://ietf-wg-acme.github.io/acme/ 5https://certbot.eff.org/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

No domain left behind

Is Let’s Encrypt democratizing encryption?

Research question

“In its fjrst year of certifjcate issuance, has Let’s Encrypt been successful in democratizing encryption?”

Approach

▶ Analyze issuance in the fjrst year of Let’s Encrypt ▶ Show adoption trend from various perspectives ▶ Analyze coverage for the lower-cost end of the market

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contribution

We show that

▶ 98% of certifjcates are issued outside Alexa 1M

▶ yet issuance is not restricted to lower end of the market

▶ Let’s Encrypt’s growth is attributed to adoption by major

players

▶ 3 hosting providers are responsible for 47% of the Let’s

Encrypt certifjed domains

▶ Issuance is dominantly for the lower-cost end of the market

(shared hosting)

▶ The majority of certifjcates are correctly renewed after

their fjrst expiration (90 days)

And fjnd that

Let’s Encrypt has indeed started to democratize encryption.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Methodology

Period covered

One year of Let’s Encrypt certifjcate issuance, Sept 2015-2016

Results based on FQDNs reduced to 2LD/3LD form

▶ e.g. example.org (2LD) or example.co.uk (3LD),

depending on availability per TLD registry

Datasets

Certifjcates Certifjcate transparency Domain to IP mapping Farsight DNSDB Organization mapping Methodology from previous work, us- ing whois data & Maxmind GEOIP2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98% of certifjcates are issued outside Alexa 1M …

0.001% 0.01% 0.1% 1% 10% 100% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 % of total usage of Let's Encrypt Alexa 1M Alexa 100k Alexa 10k Alexa 1k

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

…yet issuance is not restricted to lower end of market

0% 5% 10% 15% 20% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 % of domains using Let's Encrypt Alexa 1M Alexa 100k Alexa 10k Alexa 1k DNSDB

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certifjed domains

November 2015

14K 60K 127M Let's Encrypt domains

• rganisations

known domains

September 2016

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certifjed domains

November 2015

14K 60K 127M Let's Encrypt domains

• rganisations

known domains

September 2016

4.4M 66K 205M Let's Encrypt domains

• rganisations

known domains

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certifjed domains

November 2015

14K 60K 127M Let's Encrypt domains

• rganisations

known domains

September 2016

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Issuance is dominantly for web hosting

So far, no surprises

0% 20% 40% 60% 80% 100% S e p ' 1 5 O c t ' 1 5 N

• v

' 1 5 D e c ' 1 5 J a n ' 1 6 F e b ' 1 6 M a r ' 1 6 A p r ' 1 6 M a y ' 1 6 J u n ' 1 6 J u l ' 1 6 A u g ' 1 6 S e p ' 1 6 % of Let's Encrypt domains unknown cdn isp hosting

• ther

parking edu ddos-protection gov

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Over 90% of domains in hosting are on shared hosting

Issuance is dominantly for the lower-cost end of the market

0% 20% 40% 60% 80% 100% S e p ' 1 5 O c t ' 1 5 N

• v

' 1 5 D e c ' 1 5 J a n ' 1 6 F e b ' 1 6 M a r ' 1 6 A p r ' 1 6 M a y ' 1 6 J u n ' 1 6 J u l ' 1 6 A u g ' 1 6 S e p ' 1 6 % of LE domains in hosting shared hosting non-shared hosting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Let’s Encrypt certifjcates are valid for 90 days

The majority of certifjcates are correctly renewed after their fjrst expiration

0.2 0.4 0.6 0.8 1 90 180 270 360 Fraction of FQDN coverage days since initial issuance of certificate continuous gap ≤ 1 week

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Summary

We fjnd that Let’s Encrypt has indeed started to democratize encryption

Certifjcate issuance in the fjrst year of Let’s Encrypt

▶ used widely, dominated by the low-cost share of the market

(shared hosting)

▶ which would be unlikely to deploy the complex and costly

X.509 certifjcates before

▶ enables big hosting providers to issue and deploy

certifjcates for their customers in bulk

▶ thus quickly and automatically enable encryption across a

large number of domains

▶ e.g. 47% of Let’s Encrypt certifjed domains are hosted at

three large hosting companies (Sept 2016)

▶ 70% of the Let’s Encrypt certifjed domains remain active

after the fjrst issuance of the certifjcate6

6Let’s Encrypt certifjcates expire after three months

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In conclusion

Future work

▶ extend measurement period ▶ issued versus deployed

▶ active scans on shared hosting

require prior knowledge of domains served (SNI)

▶ use by malicious actors

Contact details

Maarten Aertsen maarten.aertsen@ncsc.nl Maciej Korzyński maciej.korczynski@tudelft.nl Giovane Moura giovane.moura@sidn.nl For more information, including related work & references, please see arXiv:1612.03005 (pending publication)

. . . . . .. . . . . . . .. . . . . . . .. . . . . . . .. . . .. . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Absolute and relative growth

Time series for FQDNs, domains, and DNSDB ratio

2M 4M 6M 8M 10M 12M 14M Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 0.01% 0.1% 1% 10% unique certified domains % of DNSDB FQDNs (absolute) domains (absolute) domains (relative)