Last November, a group of technology companies, along with the Electronic Frontier Foundation (EFF) and the University of Michigan, founded Let’s Encrypt, an open-source project to create the world’s first automated — and free — certificate authority (CA). On Sept. 15, 2015, the group’s flagship cert went live.

In a recent Threatpost article, Peter Eckersley, chief computer scientist at the EFF, said these beta certs should be valid on browsers within a month once the CA is cross-signed to function with existing software. The ultimate goal? To make HTTPS conversion not only simple, but cost-effective for businesses of all shapes and sizes and finally relegate the less secure HTTP to second place.


News about HTTPS is quickly becoming popular fodder for tech publications: Some companies embrace it, some decry it and still others look for ways to circumvent the technology altogether. As noted by the EFF, however, the security value of HTTPS can’t be overstated. Simply put, it protects everything “after the slash” in a URL, from browser communications to specific pages on websites.

The Foundation also noted that this kind of broad security makes it more difficult for nation-states to block website access, as Russia recently found out when trying to block “offensive” Wikipedia content. Since the online encyclopedia recently adopted full HTTPS, shutting down one page blocked access to the entire site, in turn prompting widespread pushback. In other words, HTTPS makes censorship much more public and much more difficult to maintain.

Search Engine Land, meanwhile, pointed to another possible benefit of HTTPS: better search rankings. According to recent comments made by Google’s Gary Illyes, HTTPS may act as a tiebreaker in cases where the quality of two search results is otherwise equal thanks to the search giant’s recent ranking boost to sites using the secure protocol. While Illyes said that choosing HTTP is still “perfectly fine,” companies in tight, competitive niches would be well-served using HTTPS to gain every advantage possible.

The New Cert

Despite HTTPS benefits, however, some companies have been reluctant to make the switch. As noted by CSO Online, part of the problem is cost since the SSL/TLS certificates needed are often expensive and expire after a certain period. Let’s Encrypt, meanwhile, wants to make certificates free for anyone who applies. In addition, the new CA wants to reduce the complexity of the certificate application process by eliminating the human element; the entire service is automated. Doing so required the project to create Boulder, a trustworthy authentication mechanism that sits on top of the Automated Certificate Management Environment (ACME).

Ideally, companies will be able to make automated cert requests and the CA will respond with a list of challenges that must be addressed before certificates are issued. In fact, getting this far is quite the accomplishment — CAs require specialized infrastructure and security mechanisms along with paperwork to ensure processes have been properly audited. If all goes well, the certs will start working within a month while the company’s root propagates; applications for Google, Mozilla, Microsoft and Apple root programs have already been submitted.

The bottom line? The open source effort isn’t looking to replace existing CAs but instead offer a simple option for companies looking to leverage the benefits of HTTPS without incurring the costs or dealing with the complication. While this won’t instantly make the entire Internet secure since many sites will continue to self-sign their certificates, it’s a critical step forward in the fight for an open — and encrypted — future.

More from

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…