In November 2014, Electronic Frontier Foundation (EFF) announced the Let’s Encrypt initiative, which is designed to help transition the internet from using HTTP to using an encrypted HTTPS environment. Let’s Encrypt simplifies the cumbersome—and potentially expensive—process of obtaining and installing a Transport Layer Security (TLS) certificate from a trusted authority in order to encrypt web traffic. TLS is the updated version of the Secure Sockets Layer (SSL) encryption model, an earlier method for encrypting web traffic that has since been deprecated and is no longer in widespread use. On Sept. 14, 2015, Let’s Encrypt issued its first certificate, marking a major milestone in the project, which is now run by the newly created nonprofit organization ISRG (Internet Security Research Group). Major sponsors offer support, including Mozilla, Akamai, Cisco, EFF, IdenTrust, Automattic, Shopify, and the American Library Association’s Office for Intellectual Freedom.
Why HTTPS Matters
Although the internet has made progress over the past 2 decades in moving to environments in which HTTPS has become the norm for logins and payment transactions, many websites still encrypt only particular pages. Increasingly, information security best practices encourage encryption for all traffic—not just for pages through which sensitive information, such as login credentials or credit card numbers, is being transmitted—in order to eliminate session hijacking attacks and enhance overall privacy. However, in the current environment, acquiring and installing a TLS certificate can be a cumbersome and costly process, which leads to many websites not using HTTPS and leaving their traffic exposed.
Acquiring a TLS Certificate the Traditional Way
Even experienced systems administrators often cringe at the confusing and constantly changing process of installing a certificate on domains for which they are responsible. First, they must create a Certificate Signing Request (CSR), a specially formatted cryptographic document that contains details about the company and the server to be protected. The CSR is then sent to a certificate authority (CA), along with payment, to generate a certificate. Costs for such certificates range from around $10 to $100 per year.
Much of the cost associated with the traditional certificate model lies in the validation the issuing CA must perform before creating a certificate. Depending on the type of certificate requested, the CA will verify the requester’s identity in a variety of ways. Low-cost domain validation certificates typically warrant only an email to the registered owner of the domain, whereas Extended Validation (EV) certificates usually lead to far more in-depth background checks, involving D&B lookups, phone calls, or even requests for notarized copies of passports or driver’s licenses. High-profile ecommerce and banking sites increasingly are using EV certificates to establish customer trust, because they are indicated by a green lock symbol in the URL bar (making them easy to recognize).
After the customer’s identity has been validated, the CA issues a certificate. Usually in the form of a small text file, it must then be manually loaded into the back-end configuration of the website’s server. This procedure is often exceedingly frustrating because different types of web server software, and often even different versions of the same software, have various requirements for the naming, storage location, and format of these certificates. Loading the certificate isn’t even the end of the task; TLS certificates have a limited lifetime—typically 1 or 2 years—after which time the process must be repeated. If a site operator forgets to renew a certificate, users will be greeted with an impossible-to-miss warning message when they attempt to connect to the site. Google’s Chrome browser, for instance, warns, “Your connection is not private. Attackers might be trying to steal your information … (for example, passwords, messages, or credit cards)” if a certificate is not valid or has expired.
Let’s Encrypt: Simplifying and Automating the Process
Let’s Encrypt aims to simplify and automate this entire process. Site operators simply need to install the letsencrypt tool on the web servers for which they are responsible. As the tool gains popularity, most web hosting companies likely will pre-install letsencrypt for their clients. The tool automates all of the steps outlined previously, starting with generating the CSR and ending with activating the final certificate. It even keeps track of the expiration date of certificates and automatically requests, downloads, and installs new certificates when expiration dates draw near. In addition, the whole process is free for users.
Let’s Encrypt’s full-scale rollout is currently slated for the week of Nov. 16, 2015.
Community Support for Let’s Encrypt
Although Let’s Encrypt is still a new endeavor, it is already generating a tremendous amount of support from the information security and privacy communities. The Let’s Encrypt community space encourages participants to ask questions and share insights on a range of highly technical as well as philosophical issues. But as is the case with many open source projects, Let’s Encrypt won’t have a 24/7 call center where users can ask questions. Instead, website operators will need to rely on the community for support.
Transitioning to a More Secure Internet
With the increasing sensitivities to privacy on the internet, fueled in large part by the Edward Snowden revelations, the tech industry has been responding by expanding the use of encryption in consumer products. For instance, in late 2014, Google announced changes to its search algorithms to boost rankings for sites using TLS—as the company indicated on its security blog, “[W]e’re starting to use HTTPS as a ranking signal.” Let’s Encrypt is a direct result of these changing demands for increasing privacy and security. As Google and others call for “HTTPS Everywhere,” we should expect to see a big push for encryption for all web-based communication, making initiatives such as Let’s Encrypt critical pieces of the new infrastructure.