Let’s Encrypt, starting in summer 2015, will offer free server certificates to help websites transition from HTTP to the more secure HTTPS protocol.
EFF is partnering with Akamai, Mozilla, Cisco, iDenTrust and University of Michigan researchers.
HTTPS, which consists of layering HTTP on top of the SSL/TLS protocol, has been around for years, but “certificate management and TLS in general tends to be a bit of a black art,” said Stephen Ludin, chief architect at Akamai.
“When you add to that, that obtaining certificates can be cumbersome and costly for an average webmaster, the benefits do not merit the effort,” he told TechNewsWorld.
Security “is the same all over,” Ludin continued. “If it’s inconvenient, people will find reasons not to do it.”
An EFFing Good Idea, What?
Web developers typically require one to three hours to enable encryption for the first time. Let’s Encrypt wants to use automation to slash that to 20-30 seconds for most sites.
Let’s Encrypt is developing the Automated Certificate Management Environment, or ACME, protocol, which will sit between Web servers and the certificate authority (CA). It includes support for new, stronger forms of domain validation.
The Let’s Encrypt agent software will run on users’ servers in the background and renew certs automatically when they’re due. It’ll be “at least as robust as the rest of your server and operating system, if not more, “because it won’t talk to arbitrary other computers on the Internet, said Peter Eckersley, the EFF’s technology projects director.
“Two of the key principles of the Let’s Encrypt effort are ‘free’ and ‘automatic,’ Ludin noted. “These … alone are enough to distinguish the goals of this new CA from existing CA — and they directly address two of the prime reasons webmasters eschew TLS.”
The necessary roots are already part of mainstream browser distributions, so “everyone will get the benefits of the new CA without having to make any changes,” he added. Also, “with toolsets and APIs in place that make certificate renewal and rotation simple and secure, the corporate webmaster will find a handful of reasons to switch.”
Let’s Encrypt will serve as its own root CA. It will be operated by the nonprofit Internet Security Research Group.
Open Systems and the Fear of HeartBleed
Let’s Encrypt is an open source project, and “we are doing a lot of very careful engineering work to put structural protections in place against bugs like HeartBleed for the server software that runs the Let’s Encrypt CA,” the EFF’s Eckersley told TechNewsWorld.
Those protections include privilege separation, defense depth and thorough auditing.
The project will have “a top-notch team watching the operation of those systems on a continual basis,” Eckersley added.
Other Aspects of Security
ACME will perform a “somewhat enhanced” version of what a domain-validated CA does to authenticate a website now, said Eckersley.
Spoofed CAs can be spotted through careful reviewing, and the Let’s Encrypt project has assembled “a really strong” team to perform reviews, he observed.
The project will use Internet-wide datasets of certificates — such as the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io and Google’s Certificate Transparency logs — to make higher-level security decisions about when a certificate is safe to issue.
Using these datasets will ensure that if Let’s Encrypt’s servers were compromised, “we’d be able to respond before it could affect significant numbers of users,” Eckersley said.
Internet-wide encryption is necessary, because otherwise “all of our browsing is vulnerable to account hijacking, surveillance by companies and governments, hackers on the network, content modification, malware injection and targeted censorship,” Eckersley pointed out.
Akamai “feels the ISRG is moving in a good direction for the Internet and wants to support that effort,” Ludin said. “We feel common communications on the Web should be encrypted, and this is going to significantly lower the barriers to entry.”