September 17, 2015 By Douglas Bonderud 2 min read

Last November, a group of technology companies, along with the Electronic Frontier Foundation (EFF) and the University of Michigan, founded Let’s Encrypt, an open-source project to create the world’s first automated — and free — certificate authority (CA). On Sept. 15, 2015, the group’s flagship cert went live.

In a recent Threatpost article, Peter Eckersley, chief computer scientist at the EFF, said these beta certs should be valid on browsers within a month once the CA is cross-signed to function with existing software. The ultimate goal? To make HTTPS conversion not only simple, but cost-effective for businesses of all shapes and sizes and finally relegate the less secure HTTP to second place.

Why HTTPS?

News about HTTPS is quickly becoming popular fodder for tech publications: Some companies embrace it, some decry it and still others look for ways to circumvent the technology altogether. As noted by the EFF, however, the security value of HTTPS can’t be overstated. Simply put, it protects everything “after the slash” in a URL, from browser communications to specific pages on websites.

The Foundation also noted that this kind of broad security makes it more difficult for nation-states to block website access, as Russia recently found out when trying to block “offensive” Wikipedia content. Since the online encyclopedia recently adopted full HTTPS, shutting down one page blocked access to the entire site, in turn prompting widespread pushback. In other words, HTTPS makes censorship much more public and much more difficult to maintain.

Search Engine Land, meanwhile, pointed to another possible benefit of HTTPS: better search rankings. According to recent comments made by Google’s Gary Illyes, HTTPS may act as a tiebreaker in cases where the quality of two search results is otherwise equal thanks to the search giant’s recent ranking boost to sites using the secure protocol. While Illyes said that choosing HTTP is still “perfectly fine,” companies in tight, competitive niches would be well-served using HTTPS to gain every advantage possible.

The New Cert

Despite HTTPS benefits, however, some companies have been reluctant to make the switch. As noted by CSO Online, part of the problem is cost since the SSL/TLS certificates needed are often expensive and expire after a certain period. Let’s Encrypt, meanwhile, wants to make certificates free for anyone who applies. In addition, the new CA wants to reduce the complexity of the certificate application process by eliminating the human element; the entire service is automated. Doing so required the project to create Boulder, a trustworthy authentication mechanism that sits on top of the Automated Certificate Management Environment (ACME).

Ideally, companies will be able to make automated cert requests and the CA will respond with a list of challenges that must be addressed before certificates are issued. In fact, getting this far is quite the accomplishment — CAs require specialized infrastructure and security mechanisms along with paperwork to ensure processes have been properly audited. If all goes well, the certs will start working within a month while the company’s root propagates; applications for Google, Mozilla, Microsoft and Apple root programs have already been submitted.

The bottom line? The open source effort isn’t looking to replace existing CAs but instead offer a simple option for companies looking to leverage the benefits of HTTPS without incurring the costs or dealing with the complication. While this won’t instantly make the entire Internet secure since many sites will continue to self-sign their certificates, it’s a critical step forward in the fight for an open — and encrypted — future.

More from

How generative AI Is expanding the insider threat attack surface

3 min read - As the adoption of generative AI (GenAI) soars, so too does the risk of insider threats. This puts even more pressure on businesses to rethink security and confidentiality policies.In just a few years, artificial intelligence (AI) has radically changed the world of work. 61% of knowledge workers now use GenAI tools — particularly OpenAI’s ChatGPT — in their daily routines. At the same time, business leaders, often partly driven by a fear of missing out, are investing billions in tools…

Water facilities warned to improve cybersecurity

3 min read - United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…

New ransomware over browser threat targets uploaded files

3 min read - We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files. What is ransomware over browsers? Researchers at Florida International University worked with Google to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today