How many of you remember your first economics class? For most, it was a macroeconomics survey course that met a behavioral and social sciences requirement. But whether you took an econ class, became an econ major, or you are just a participating member of the economy, you have likely heard about the “law” of supply and demand. [Actually, there is no “law”, per se. But there are real outcomes that are necessary results of the actions that we take.] In a market where resources are limited, increased demand for a good (or service) will almost always result in increased prices. At the same time, an increased supply of that good (or service) will drive the price lower. And when that price declines, the demand for that good (or service) will probably increase. Simple, right? The same thing is true for the car market, the computer market, and the market for household certificates (i.e., secure services in the home).
The Security Market
Most people have not yet implemented household certificates (or other security mechanisms) because the “cost” was way too high. Historically, the exorbitant cost for a good home security system meant that only those with disposable income could afford these devices (and services). Some people bypassed the initial outlay by building it into the price of a new home. That way, the costs could be distributed over fifteen (or thirty) years. But either way, the number of willing customers remained small.
The same reality is true for digital security and household certificates. You might have heard about two-factor authentication. But you may not have the skills – nor do you have the money – to implement a digitally secure household. So you left those kinds of security steps for others to implement. Basically, you want digital security, but you can’t afford to install or support it.
Household Certificates: Mandatory…and Cheap
The times are changing. As any technology is introduced, early adopters pay excessive amounts of money to have a tool that is cool. If this weren’t the case, then how could anyone justify a $1,200 iPhone? Yes, the iPhone is cool. But you can get something similar for $800-$900. And if you bypass just a couple of features, you can get a good phone for between $300 and $500. [This is exactly what Dell did when it disrupted the desktop computer market that was previously owned by Apple and IBM.
In security circles, the cost of security certificates (and the learning curve associated with their use) has meant that corporations would be the only users of this kind of technology. But just as the iPhone spurred cheaper competitors, the Internet security industry is also beginning to get its price disruption. You no longer have to go to the “big players” to install household hubs. You can build them yourself. And you don’t have to get certificates from the same places as the big corporations: you can get workable certificates for free from Let’s Encrypt.
You may be asking yourself why you would need security certificates. And if you don’t have any services running at home, then you may not need certificates. But if you have a Plex server, or if you use home automation, or if you have mainstream home security tools (from folks like SimpliSafe, or August, or Blink, or Netgear), then you really do need household certificates.
Why are household certificates important? Because when you connect to services at home, you will want to make sure that it is your home services that are responding to you. Without certificates, there is a real risk that someone will step in between you and your household services. Hackers do this so they can impersonate your servers – and collect valuable data directly from you. [In security parlance, this is called a man-in-the-middle attack.] By having household certificates, your systems can present secure ‘credentials’ to ensure that the server is who it reports itself to be.
Secure Authentication
Similarly, you may want to ensure that anyone trying to log into your household must present a trusted token to access the treasures inside your house. [Think of this as the digital equivalent of a front door key.] This can be done with strong passwords. But it can also be done with digital certificates. And almost every implementation of two-factor authentication uses encryption (and certificates) to validate a user’s identity. Without certificates, the only thing that lies between your treasures and digital assailants is your password. [Let’s hope that your password is both strong and totally unique.]
And with Google’s recent announcement that they will be producing security tokens (i.e., the Google Titan key), the authentication market is finally being commoditized. Prices will no longer be set by only one or two vendors (like RSA or Yubico). And I am sure that other vendors will take advantage of the reduced costs that will be a necessary result of increased key production (needed to meet the Google demand).
Let’s Encrypt: Supply-side Answers
According to Wikipedia, ” The Let’s Encrypt project was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan.” The first public product launch was on April 12, 2016. At the time of launch, Let’s Encrypt entered a market that was dominated by Symantec, GoDaddy, and Comodo.
The Let’s Encrypt price point is simple: zero cost certificates. The catch is that these certificates are only good for three months. But with a little scripting (and a few tools from the EFF), the certificate refresh process is almost effortless. And Let’s Encrypt is being built into most household management systems. So with no production costs and with decreasing skill requirements, household certificates are becoming impossible to ignore.
Bottom Line
If you have a little technical know-how, then now is the time to start using Let’s Encrypt on your household servers. And if you aren’t technically savvy, then expect the hardware and software providers to start bundling this security technology into their products. For them, the cost is limited. And adding real security features can only improve customer satisfaction – if it is completely friction-less.