Last November, a group of technology companies, along with the Electronic Frontier Foundation (EFF) and the University of Michigan, founded Let’s Encrypt, an open-source project to create the world’s first automated — and free — certificate authority (CA). On Sept. 15, 2015, the group’s flagship cert went live.
In a recent Threatpost article, Peter Eckersley, chief computer scientist at the EFF, said these beta certs should be valid on browsers within a month once the CA is cross-signed to function with existing software. The ultimate goal? To make HTTPS conversion not only simple, but cost-effective for businesses of all shapes and sizes and finally relegate the less secure HTTP to second place.
Why HTTPS?
News about HTTPS is quickly becoming popular fodder for tech publications: Some companies embrace it, some decry it and still others look for ways to circumvent the technology altogether. As noted by the EFF, however, the security value of HTTPS can’t be overstated. Simply put, it protects everything “after the slash” in a URL, from browser communications to specific pages on websites.
The Foundation also noted that this kind of broad security makes it more difficult for nation-states to block website access, as Russia recently found out when trying to block “offensive” Wikipedia content. Since the online encyclopedia recently adopted full HTTPS, shutting down one page blocked access to the entire site, in turn prompting widespread pushback. In other words, HTTPS makes censorship much more public and much more difficult to maintain.
Search Engine Land, meanwhile, pointed to another possible benefit of HTTPS: better search rankings. According to recent comments made by Google’s Gary Illyes, HTTPS may act as a tiebreaker in cases where the quality of two search results is otherwise equal thanks to the search giant’s recent ranking boost to sites using the secure protocol. While Illyes said that choosing HTTP is still “perfectly fine,” companies in tight, competitive niches would be well-served using HTTPS to gain every advantage possible.
The New Cert
Despite HTTPS benefits, however, some companies have been reluctant to make the switch. As noted by CSO Online, part of the problem is cost since the SSL/TLS certificates needed are often expensive and expire after a certain period. Let’s Encrypt, meanwhile, wants to make certificates free for anyone who applies. In addition, the new CA wants to reduce the complexity of the certificate application process by eliminating the human element; the entire service is automated. Doing so required the project to create Boulder, a trustworthy authentication mechanism that sits on top of the Automated Certificate Management Environment (ACME).
Ideally, companies will be able to make automated cert requests and the CA will respond with a list of challenges that must be addressed before certificates are issued. In fact, getting this far is quite the accomplishment — CAs require specialized infrastructure and security mechanisms along with paperwork to ensure processes have been properly audited. If all goes well, the certs will start working within a month while the company’s root propagates; applications for Google, Mozilla, Microsoft and Apple root programs have already been submitted.
The bottom line? The open source effort isn’t looking to replace existing CAs but instead offer a simple option for companies looking to leverage the benefits of HTTPS without incurring the costs or dealing with the complication. While this won’t instantly make the entire Internet secure since many sites will continue to self-sign their certificates, it’s a critical step forward in the fight for an open — and encrypted — future.