'Let's Encrypt' aims to drive adoption of HTTPS

Some of the world's biggest security companies are working together to develop 'Let's Encrypt' - a new certificate authority (CA) offering free and automatically renewable HTTPS web encryption.

'Let's Encrypt' aims to drive adoption of HTTPS
'Let's Encrypt' aims to drive adoption of HTTPS

Due to launch next summer, Let's Encrypt has been established by Mozilla, Cisco, Akamai, the Electronic Frontier Foundation, IdenTrust as well as researchers at the University of Michigan  - who are working through the California-based Internet Security Research Group (ISRG).

The aim is for the CA to drive the adoption of HTTPS web encryption and to do this by making obtaining the SSL certificate as easy as clicking a button or issuing a simple shell command.

The accreditation is free to anyone who owns a web domain, certificates can be reviewed for transparency, while the security companies behind the project say that the management software installed on web servers proves that the domain holder controls the website, has obtained a browser-trusted certificate and has set it up on their web browser.

In addition, the software enables users to track when the certificate is due to expire and can also help should users want to revoke the certificate.

“No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let's Encrypt provides certificates for free, no need to arrange payment,” it reads on the Let's Encrypt website.

The EFF is developing a new ACME (Automated Certificate Management Environment) encryption standard to act as the go-between from web servers to the Certificate Authority, which it says will include stronger support for domain validation. It will also leverage the EFF's existing Decentralised SSL Observatory, Google's Certificate Transparency logs and the University of Michigan's scans.io.

The CA is to be managed by the Internet Security Research Group (ISRG) and the first websites are currently undergoing development and testing.  The CA is due to launch in the second half of 2015. The code and protocol specs for Let's Encrypt can be found on GitHub.

When announcing the news on Tuesday, ISRG executive director Josh Aas described why HTTPS is essential.

“Vital personal and business information flows over the internet more frequently than ever, and we don't always know when it's happening. It's clear at this point that encrypting is something all of us should be doing,” he said. “Then why don't we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data centre supports it. Why don't we just flip the switch?”

“The challenge is server certificates. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It's tricky to install correctly. It's a pain to update.”

Peter Eckersley, technology projects director of EFF, added in the non-for-profit's own blog post that the CA will attempt to get around many existing problems with HTTP and HTTPs.

“Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governmentscompanies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites.

“The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default. With a launch scheduled for summer 2015, the Let's Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

“The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires…The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let's Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds.”

As part of the drive towards ubiquitous HTTPS, Google recently revealed that it would index websites higher which employed this level of encryption, while CloudFlare announced that its two million customers could use the free version of Universal SSL.