Symantec partners with hosting providers to offer free TLS certificates to website owners

Symantec's Encryption Everywhere program will offer basic SSL/TLS certificates to domain owners for free

Symantec wants to see the encrypted Web grow and will offer free basic SSL/TLS certificates to domain owners through Web hosting companies that join its new Encryption Everywhere program.

The company has already signed partnerships with more than ten hosting providers, including InterNetX, CertCenter, Hostpoint and Zoned in Europe, and is close to finalizing deals with ten others. The customers of those companies will receive a basic website encryption package that includes a standard TLS certificate valid for one year.

Depending on their needs, customers will also be able to opt for paid premium packages that include extended validation (EV) certificates or wildcard certificates that are valid for multiple websites hosted on different subdomains.

According to Symantec, which now operates one of the world's largest certificate authorities (CAs) after acquiring Verisign's certificate business in 2010, only around 3 percent of all Internet websites are currently using SSL/TLS encryption.

From a business perspective, Symantec is, for the first time, adopting the freemium pricing model, where a product with basic functionality is offered for free on the premise that a percentage of users will later decide to pay for more advanced features.

"The need for privacy for legitimate individuals and companies is growing and it's that need that we are responding too," said Roxane Divol, general manager for the Website Security division at Symantec. "This in turn generates a need for good governance and a swift mechanism for when certificates need to be revoked, and that is also something that we pay a lot of attention to."

In recent years, security and privacy experts have called for widespread encryption of Internet communications following the revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters.

Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, believes that ubiquitous encryption would make eavesdropping expensive and could force intelligence agencies to abandon the wholesale collection of data in favor of targeted collection.

Symantec is not the first CA to offer free certificates in an attempt to encourage website owners to encrypt their users' traffic. Let's Encrypt, a certificate authority run by the ISRG (Internet Security Research Group) and backed by Mozilla, Cisco, Akamai, Facebook and others, has already issued over a million free certificates in three months since it launched.

According to Divol, Symantec has been working on its Encryption Everywhere program for a long time, but focused on the seamless integration with the management platforms used by hosting providers.

Unlike Let's Encrypt, which requires users to have some know-how about certificate deployment and management, Encryption Everywhere's integration with hosting panels makes it easy for people without such technical knowledge to obtain and use certificates. Therefore, the two projects address slightly different audiences.

The problem with making it easy for website owners to deploy encryption is that it also lowers the entry bar for cybercriminals. Buying TLS certificates to encrypt malicious traffic didn't make much business sense for criminals, because they typically switch domain names at a fast pace to evade detection by security companies. But now that certificates can be acquired for free and in an automated manner, security solutions will likely have to deal with an increase in malicious encrypted traffic.

However this will play out in the long term, the general thinking is that improving everyone's security and privacy by widespread use of encryption on the Web outweighs any potential risk of attacks becoming harder to detect.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoFacebookMozillaNational Security AgencyNSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place