Today get an SSL certificate for your website it is extremely simpleIn addition to the fact that the costs of these have decreased considerably compared to 4-5 years ago when the search giant "Google" began to give a better positioning to "https" websites.
At that time, getting an SSL certificate at an affordable price was really difficult, but today it can even be obtained for free with the help of Let's Encrypt.
Let's Encrypt is a non-profit certification center which provides certificates for free to all. And now it has announced the introduction of a new authorization scheme of certificates for domains.
Access to the server that hosts the directory «/.well-known/acme-challenge/» used in the scan will now be performed using multiple HTTP requests sent from 4 different IP addresses located in different data centers and owned by different autonomous systems. A verification is considered successful only if at least 3 out of 4 requests from different IPs are successful.
Scanning from multiple subnets minimize the risks of obtaining certificates for foreign domains by conducting targeted attacks that redirect traffic through rogue route substitution using BGP.
When using a multi-position verification system, an attacker will need to simultaneously achieve route redirection for multiple autonomous provider systems with different uplinks, which is much more complicated than redirecting a single route.
After February 19, we will make four full validation requests (1 from a primary data center and 3 from remote data centers). The main request and at least 2 of the 3 remote requests must receive the correct challenge response value for the domain to be considered authoritative.
In the future we will continue to evaluate adding more network insights and may change the number and threshold required.
In addition, sending requests from different IPs will increase the reliability of the verification in case individual Let's Encrypt hosts enter the block lists (eg in Russia some IP letsencrypt.org fell under Roskomnadzor blocking).
Until June 1, there will be a transition period which will allow certificates to be generated upon successful verification from the primary data center when the host is unavailable from other subnets (for example, this can happen if the host administrator on the firewall allowed requests from the primary data center only Let's Encrypt or due to violation of zone synchronization in DNS).
According to the records, a whitelist will be prepared for domains having trouble verifying from 3 additional data centers. Only domains with whitelisted contact details. If the domain is not on the whitelist, the request for facilities can also be submitted via a special form.
Today Let's Encrypt has issued 113 million certificates covering around 190 million domains (150 million domains were covered a year ago and 61 million were covered two years ago).
According to statistics from the Firefox telemetry service, the global percentage of page requests over HTTPS is 81% (77% a year ago, 69% two years ago) and 91% in the United States.
In addition, Apple's intention to stop trusting certificates with a shelf life of more than 398 days can be seen (13 months) in the Safari browser.
Well now you plan to introduce the restriction only for certificates issued from September 1, 2020. For certificates with a long period of validity received before September 1, trust will be maintained, but it will be limited to 825 days (2.2 years) .
The change could negatively affect the business of certification authorities who sell cheap certificates with a long validity period of up to 5 years.
According to Apple, the generation of such certificates poses additional security risks, interferes with the operational implementation of new cryptographic standards and allows attackers to monitor victim traffic for a long time or use it for spoofing in case of a discreet leak of the certificate as a result of hacking.