September 17, 2015 By Douglas Bonderud 2 min read

Last November, a group of technology companies, along with the Electronic Frontier Foundation (EFF) and the University of Michigan, founded Let’s Encrypt, an open-source project to create the world’s first automated — and free — certificate authority (CA). On Sept. 15, 2015, the group’s flagship cert went live.

In a recent Threatpost article, Peter Eckersley, chief computer scientist at the EFF, said these beta certs should be valid on browsers within a month once the CA is cross-signed to function with existing software. The ultimate goal? To make HTTPS conversion not only simple, but cost-effective for businesses of all shapes and sizes and finally relegate the less secure HTTP to second place.

Why HTTPS?

News about HTTPS is quickly becoming popular fodder for tech publications: Some companies embrace it, some decry it and still others look for ways to circumvent the technology altogether. As noted by the EFF, however, the security value of HTTPS can’t be overstated. Simply put, it protects everything “after the slash” in a URL, from browser communications to specific pages on websites.

The Foundation also noted that this kind of broad security makes it more difficult for nation-states to block website access, as Russia recently found out when trying to block “offensive” Wikipedia content. Since the online encyclopedia recently adopted full HTTPS, shutting down one page blocked access to the entire site, in turn prompting widespread pushback. In other words, HTTPS makes censorship much more public and much more difficult to maintain.

Search Engine Land, meanwhile, pointed to another possible benefit of HTTPS: better search rankings. According to recent comments made by Google’s Gary Illyes, HTTPS may act as a tiebreaker in cases where the quality of two search results is otherwise equal thanks to the search giant’s recent ranking boost to sites using the secure protocol. While Illyes said that choosing HTTP is still “perfectly fine,” companies in tight, competitive niches would be well-served using HTTPS to gain every advantage possible.

The New Cert

Despite HTTPS benefits, however, some companies have been reluctant to make the switch. As noted by CSO Online, part of the problem is cost since the SSL/TLS certificates needed are often expensive and expire after a certain period. Let’s Encrypt, meanwhile, wants to make certificates free for anyone who applies. In addition, the new CA wants to reduce the complexity of the certificate application process by eliminating the human element; the entire service is automated. Doing so required the project to create Boulder, a trustworthy authentication mechanism that sits on top of the Automated Certificate Management Environment (ACME).

Ideally, companies will be able to make automated cert requests and the CA will respond with a list of challenges that must be addressed before certificates are issued. In fact, getting this far is quite the accomplishment — CAs require specialized infrastructure and security mechanisms along with paperwork to ensure processes have been properly audited. If all goes well, the certs will start working within a month while the company’s root propagates; applications for Google, Mozilla, Microsoft and Apple root programs have already been submitted.

The bottom line? The open source effort isn’t looking to replace existing CAs but instead offer a simple option for companies looking to leverage the benefits of HTTPS without incurring the costs or dealing with the complication. While this won’t instantly make the entire Internet secure since many sites will continue to self-sign their certificates, it’s a critical step forward in the fight for an open — and encrypted — future.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today