Cisco, Akamai and Mozilla have launched a new free certificate authority (CA) called Let’s Encrypt that aims to, well, encourage people to encrypt users’ connections to their websites.
The launch of Let’s Encrypt, which also involves the [company]Electronic Frontier Foundation[/company] (EFF), the banking-oriented public key certificate authority IdenTrust and University of Michigan researchers, comes as the tech industry scrambles to encrypt the web as far as possible, following the mass surveillance revelations of NSA leaker Edward Snowden.
The next version of the HTTP protocol will likely be encrypted by default. [company]Google[/company] will rank up sites that use SSL/TLS encryption. The content delivery and security outfit [company]CloudFlare[/company] is offering free SSL encryption for millions of its customers. And now Let’s Encrypt aims to equip websites with free certificates – the proof they need to tell users’ browsers that their public encryption keys are genuine and connection is properly secured.
“Why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch?” Josh Aas, the executive director of Californian public benefit corporation [company]Internet Security Research Group[/company] (ISRG), which will run the scheme, asked in a statement.
“The challenge is server certificates. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.”
According to the statement, Let’s Encrypt’s certificate infrastructure will go live in the second quarter of 2015. Certificates will be free and there will be an automated issuance and renewal protocol – an open standard — in order to reduce the need for input from the domain holder’s side.
According to an EFF blog post, “switching a web server from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.”
Records of certificate issuance and revocation will be publicly available and those behind Let’s Encrypt are stressing the fact that the system won’t be under any one organization’s control.
Particularly following high-profile certificate authority breaches in 2011, which resulted in hundreds of fraudulent certificates being issued, a lot of people distrust CAs. The EFF itself was a loud critic of the existing CA system, in fact, so it will be interesting to see what the security community makes of the “modern security techniques and best practices” that will underpin Let’s Encrypt.