Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations.
Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) certificates through an automated process that allows websites, given the technical requirements, to be accessed over encrypted HTTPS rather than the unprotected HTTP.
Since its inception, Let's Encrypt has helped make the horribly insecure web less so.
In a blog post, Josh Aas, executive director for the non-profit Internet Security Research Group, which operates Let's Encrypt on behalf of partner organizations, said the CA has secured 47 million domains through its free automated Domain Validation (DV) certificate API.
"This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt's service became available in December 2015," said Aas.
In a phone interview with The Register, Aas said Let's Encrypt has played a significant part in accelerating HTTPS adoption but credited the work of other organizations as well. For example, he said, Amazon offers free certs for AWS customers.
Aas said Let's Encrypt's indirect impact has also been valuable in terms of changing the narrative about web security. "Before Let's Encrypt, HTTPS was difficult and cost money," he said. "Now the narrative is there are no excuses anymore."
Let's Encrypt offers DV SSL certificates, but not Organization Validation (OV) or Extended Validation (EV) certificates, which require the CA to verify details about the company seeking the cert.
"We operate at scale and when something involves manual examination in any way, it's not possible to scale that," said Aas.
DV certs cover a specific web domain (example.com), and nothing more. Wildcard DV certs cover a domain and any number of subdomains (*.example.com), like api.example.com or bad.example.com.
Having a single certificate and encryption key pair for a domain and its subdomains makes administration significantly easier than having to manage different certs for each. But, as Aas observed, wildcard certs aren't necessarily ideal for every situation.
"Wildcards are really useful when you have a centralized place for serving domains," said Aas. "Where they can be wrong choice is when you have a lot of different places serving subdomains."
Keeping your private key secure in multiple locations is inherently riskier than keeping it safe in a single place, Aas explained.
The availability of wildcard certs should make Let's Encrypt's service more appealing to large organizations that manage multiple subdomains. And the fact that the certs will be free should help – some companies sell wildcard certs for several hundred dollars annually, though they can be had for significantly less.
Aas said he could't speak to how other companies selling costly wildcard certs view Let's Encrypt.
The arrival of wildcard certs coincides with Let's Encrypt's rollout of its ACME v2 protocol, the successor to v1. ACME v2, scheduled to debut in January next year, will be an IETF standard so that other CAs can interoperate more easily with Let's Encrypt systems. ®