Last November, a group of technology companies, along with the Electronic Frontier Foundation (EFF) and the University of Michigan, founded Let’s Encrypt, an open-source project to create the world’s first automated — and free — certificate authority (CA). On Sept. 15, 2015, the group’s flagship cert went live.

In a recent Threatpost article, Peter Eckersley, chief computer scientist at the EFF, said these beta certs should be valid on browsers within a month once the CA is cross-signed to function with existing software. The ultimate goal? To make HTTPS conversion not only simple, but cost-effective for businesses of all shapes and sizes and finally relegate the less secure HTTP to second place.


News about HTTPS is quickly becoming popular fodder for tech publications: Some companies embrace it, some decry it and still others look for ways to circumvent the technology altogether. As noted by the EFF, however, the security value of HTTPS can’t be overstated. Simply put, it protects everything “after the slash” in a URL, from browser communications to specific pages on websites.

The Foundation also noted that this kind of broad security makes it more difficult for nation-states to block website access, as Russia recently found out when trying to block “offensive” Wikipedia content. Since the online encyclopedia recently adopted full HTTPS, shutting down one page blocked access to the entire site, in turn prompting widespread pushback. In other words, HTTPS makes censorship much more public and much more difficult to maintain.

Search Engine Land, meanwhile, pointed to another possible benefit of HTTPS: better search rankings. According to recent comments made by Google’s Gary Illyes, HTTPS may act as a tiebreaker in cases where the quality of two search results is otherwise equal thanks to the search giant’s recent ranking boost to sites using the secure protocol. While Illyes said that choosing HTTP is still “perfectly fine,” companies in tight, competitive niches would be well-served using HTTPS to gain every advantage possible.

The New Cert

Despite HTTPS benefits, however, some companies have been reluctant to make the switch. As noted by CSO Online, part of the problem is cost since the SSL/TLS certificates needed are often expensive and expire after a certain period. Let’s Encrypt, meanwhile, wants to make certificates free for anyone who applies. In addition, the new CA wants to reduce the complexity of the certificate application process by eliminating the human element; the entire service is automated. Doing so required the project to create Boulder, a trustworthy authentication mechanism that sits on top of the Automated Certificate Management Environment (ACME).

Ideally, companies will be able to make automated cert requests and the CA will respond with a list of challenges that must be addressed before certificates are issued. In fact, getting this far is quite the accomplishment — CAs require specialized infrastructure and security mechanisms along with paperwork to ensure processes have been properly audited. If all goes well, the certs will start working within a month while the company’s root propagates; applications for Google, Mozilla, Microsoft and Apple root programs have already been submitted.

The bottom line? The open source effort isn’t looking to replace existing CAs but instead offer a simple option for companies looking to leverage the benefits of HTTPS without incurring the costs or dealing with the complication. While this won’t instantly make the entire Internet secure since many sites will continue to self-sign their certificates, it’s a critical step forward in the fight for an open — and encrypted — future.

More from

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…