Symantec wants to see the encrypted Web grow and will offer free basic SSL/TLS certificates to domain owners through Web hosting companies that join its new Encryption Everywhere program.
The company has already signed partnerships with more than ten hosting providers, including InterNetX, CertCenter, Hostpoint and Zoned in Europe, and is close to finalizing deals with ten others. The customers of those companies will receive a basic website encryption package that includes a standard TLS certificate valid for one year.
Depending on their needs, customers will also be able to opt for paid premium packages that include extended validation (EV) certificates or wildcard certificates that are valid for multiple websites hosted on different subdomains.
According to Symantec, which now operates one of the world’s largest certificate authorities (CAs) after acquiring Verisign’s certificate business in 2010, only around 3 percent of all Internet websites are currently using SSL/TLS encryption.
From a business perspective, Symantec is, for the first time, adopting the freemium pricing model, where a product with basic functionality is offered for free on the premise that a percentage of users will later decide to pay for more advanced features.
“The need for privacy for legitimate individuals and companies is growing and it’s that need that we are responding too,” said Roxane Divol, general manager for the Website Security division at Symantec. “This in turn generates a need for good governance and a swift mechanism for when certificates need to be revoked, and that is also something that we pay a lot of attention to.”
In recent years, security and privacy experts have called for widespread encryption of Internet communications following the revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.’s Government Communications Headquarters.
Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, believes that ubiquitous encryption would make eavesdropping expensive and could force intelligence agencies to abandon the wholesale collection of data in favor of targeted collection.
Symantec is not the first CA to offer free certificates in an attempt to encourage website owners to encrypt their users’ traffic. Let’s Encrypt, a certificate authority run by the ISRG (Internet Security Research Group) and backed by Mozilla, Cisco, Akamai, Facebook and others, has already issued over a million free certificates in three months since it launched.
According to Divol, Symantec has been working on its Encryption Everywhere program for a long time, but focused on the seamless integration with the management platforms used by hosting providers.
Unlike Let’s Encrypt, which requires users to have some know-how about certificate deployment and management, Encryption Everywhere’s integration with hosting panels makes it easy for people without such technical knowledge to obtain and use certificates. Therefore, the two projects address slightly different audiences.
The problem with making it easy for website owners to deploy encryption is that it also lowers the entry bar for cybercriminals. Buying TLS certificates to encrypt malicious traffic didn’t make much business sense for criminals, because they typically switch domain names at a fast pace to evade detection by security companies. But now that certificates can be acquired for free and in an automated manner, security solutions will likely have to deal with an increase in malicious encrypted traffic.
However this will play out in the long term, the general thinking is that improving everyone’s security and privacy by widespread use of encryption on the Web outweighs any potential risk of attacks becoming harder to detect.