No domain left behind: is Lets Encrypt democratizing encryption? - - PowerPoint PPT Presentation

no domain left behind
SMART_READER_LITE
LIVE PREVIEW

No domain left behind: is Lets Encrypt democratizing encryption? - - PowerPoint PPT Presentation

Jan 30, 2023 210 likes •429 views

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft

slide-1
SLIDE 1

1/18

No domain left behind:

is Let’s Encrypt democratizing encryption? Maarten Aertsen1, Maciej Korczy´ nski2, Giovane C. M. Moura3, Samaneh Tajalizadehkhoob2, Jan van den Berg2

1National Cyber Security Centre

The Netherlands

2Delft University of Technology

The Netherlands

3SIDN Labs

The Netherlands

IETF98 - IRTF - MAPRG Chicago, IL, April 28th, 2017

slide-2
SLIDE 2

2/18

Disclaimer

◮ None of the authors is in any way affiliated with Let’s

Encrypt

◮ In other words: we do not speak for them ◮ But if you like their work, you may consider supporting

them

slide-3
SLIDE 3

3/18

The Encryption Rush

Ed Snowden NSA’s revelations

◮ Massive, widespread

surveillance

◮ Worst nightmares

came true

slide-4
SLIDE 4

3/18

The Encryption Rush

Ed Snowden NSA’s revelations

◮ Massive, widespread

surveillance

◮ Worst nightmares

came true

Consequences:

◮ For many, it was a wake-up call

(and panic)

◮ Market distrust in vendors ◮ Provided a great momentum for

better security

Reactions:

◮ IETF: RFC 7258, RFC 7624 ◮ iOS/Android: mobile phone

encryption by default

◮ Cloud providers enabling

encryption everywhere

◮ ...

slide-5
SLIDE 5

4/18

More than half of web traffic is encrypted nowadays

Yet that leaves out a lot of people without HTTPS

Firefox telemetry1 Chrome telemetry2

1https://telemetry.mozilla.org/, based on Let’s Encrypt stats page 2https://www.google.com/transparencyreport/https/metrics/

slide-6
SLIDE 6

5/18

Certificates are required for encryption on the web

Barriers to ubiquitous web encryption (X.509 cert):

◮ Cost: purchase, deployment and renewal ◮ Complexity: request, deployment (at scale)

Let’s Encrypt3 aims to make encrypted traffic ubiquitous

◮ Issue and re-issue costs: $0.00 ◮ Complexity mitigated by automation

  • 1. ACME protocol4
  • 2. and clients, e.g. Certbot5

3https://letsencrypt.org 4draft-ietf-acme-acme-latest → https://ietf-wg-acme.github.io/acme/ 5https://certbot.eff.org/

slide-7
SLIDE 7

6/18

No domain left behind

Is Let’s Encrypt democratizing encryption?

Research question

“In its first year of certificate issuance, has Let’s Encrypt been successful in democratizing encryption?”

Approach: measurements

◮ Analyze issuance in the first year of Let’s Encrypt ◮ Show adoption trend from various perspectives ◮ Analyze coverage for the lower-cost end of the market

slide-8
SLIDE 8

7/18

Methodology

◮ Period covered: Sept. 2015-2016 (1st year) ◮ Results based on FQDNs reduced to 2LD/3LD form

◮ a.b.c.d.com → d.com

Datasets

Certificates → Certificate transparency6 Domain to IP mapping → Farsight DNSDB7 Organization mapping → Methodology from previous work8, using whois data & Maxmind GEOIP2 Registration info → .nl registry (SIDN)

6https://www.certificate-transparency.org/known-logs 7https://www.dnsdb.info/

  • 8S. Tajalizadehkhoob et al., “Apples, oranges and hosting providers: heterogeneity and

security in the hosting market,” IEEE NOMS 2016

slide-9
SLIDE 9

8/18

Let’s Encrypt Adoption Rate

◮ Steady growth

2M 4M 6M 8M 10M 12M 14M Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 0.01% 0.1% 1% 10% unique certified domains % of DNSDB FQDNs (absolute) domains (absolute) domains (relative)

slide-10
SLIDE 10

9/18

Who’s using Let’s Encrypt ?

◮ 98% of certificates are issued outside Alexa 1M . . .

0.001% 0.01% 0.1% 1% 10% 100% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 % of total usage of Let's Encrypt Alexa 1M Alexa 100k Alexa 10k Alexa 1k

slide-11
SLIDE 11

10/18

Who’s using Let’s Encrypt ?

◮ . . . yet issuance is not restricted to lower end of the market

◮ meaning: big players also use in their subdomains

0% 5% 10% 15% 20% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 % of domains using Let's Encrypt Alexa 1M Alexa 100k Alexa 10k Alexa 1k DNSDB

slide-12
SLIDE 12

11/18

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains

November 2015

14K 60K 127M Let's Encrypt domains

  • rganisations

known domains

slide-13
SLIDE 13

11/18

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains

November 2015

14K 60K 127M Let's Encrypt domains

  • rganisations

known domains

September 2016

4.4M 66K 205M Let's Encrypt domains

  • rganisations

known domains

slide-14
SLIDE 14

11/18

Growth is attributed to adoption by major players

3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains

November 2015

14K 60K 127M Let's Encrypt domains

  • rganisations

known domains

September 2016 Automation works!!

slide-15
SLIDE 15

12/18

Issuance is dominantly for web hosting

So far, no surprises

0% 20% 40% 60% 80% 100% S e p ' 1 5 O c t ' 1 5 N

  • v

' 1 5 D e c ' 1 5 J a n ' 1 6 F e b ' 1 6 M a r ' 1 6 A p r ' 1 6 M a y ' 1 6 J u n ' 1 6 J u l ' 1 6 A u g ' 1 6 S e p ' 1 6 % of Let's Encrypt domains unknown cdn isp hosting

  • ther

parking edu ddos-protection gov

slide-16
SLIDE 16

13/18

Over 90% of domains in hosting are on shared hosting

Issuance is dominantly for the lower-cost end of the market

◮ Shared hosting = 10 domains/IP9 ◮ Let’s Encrypt reaches those with less incentive to encrypt

0% 20% 40% 60% 80% 100% S e p ' 1 5 O c t ' 1 5 N

  • v

' 1 5 D e c ' 1 5 J a n ' 1 6 F e b ' 1 6 M a r ' 1 6 A p r ' 1 6 M a y ' 1 6 J u n ' 1 6 J u l ' 1 6 A u g ' 1 6 S e p ' 1 6 % of LE domains in hosting shared hosting non-shared hosting

  • 9S. Tajalizadehkhoob et al., “Apples, oranges and hosting providers: heterogeneity and

security in the hosting market,” IEEE NOMS 2016

slide-17
SLIDE 17

14/18

Let’s Encrypt certificates are valid for 90 days

The majority of certificates are correctly renewed after their first expiration

0.2 0.4 0.6 0.8 1 90 180 270 360 Fraction of FQDN coverage days since initial issuance of certificate continuous gap ≤ 1 week

slide-18
SLIDE 18

15/18

Let’s Encrypt : domain age use

◮ Case study: .nl ◮ Determine the age of the domain when the cert was issued

2 4 6 8 10 12 14 16 18 Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 5 10 15 20 25 Domain Age (Years) Monthly New Certs (K) domain age certificate #

Median, Q25, Q75 and number of monthly new certificates for .nl domains

slide-19
SLIDE 19

16/18

Let’s Encrypt : deployment

◮ https scans + cert processing (lower bound) ◮ 25K randomly chosen Let’s Encrypt FQDN

5k 10k 15k 20k noDNS http406error noTLS sniError tlsOK-notLE tlsOK-LE-Expired tlsOK-LE-OK FQDN 2465 1422 2143 141 2846 180 15803

slide-20
SLIDE 20

17/18

Conclusions

We show that

◮ Let’s Encrypt has been a success

◮ Reduces costs & complexity

◮ Democratize encryption by covering low cost end of the

market (shared hosting)

◮ but big players also use it

◮ Automation works: Let’s Encrypt’s allows for bulk issuing

◮ 3 hosting providers are responsible for 47% of the Let’s

Encrypt certified domains

◮ The majority of certificates are correctly renewed after

their first expiration (90 days)

And find that

Let’s Encrypt has indeed started to democratize encryption.

slide-21
SLIDE 21

18/18

Future work

Future work

◮ extend measurement period ◮ issued versus deployed

◮ active scans on shared hosting

require prior knowledge of domains served (SNI)

◮ use by malicious actors

Contact details

Giovane C. M. Moura giovane.moura@sidn.nl Download our paper at: https://arxiv.org/abs/1612.03005