KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM EContentMag Faulkner Information Services Fulltext Sources Online InfoToday Europe Internet@Schools Intranets Today KMWorld Library Resource Literary Market Place OnlineVideo.net Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed
 



'Let's Encrypt' the Internet: From HTTP to HTTPS
by
Posted On September 29, 2015
In November 2014, Electronic Frontier Foundation (EFF) announced the Let’s Encrypt initiative, which is designed to help transition the internet from using HTTP to using an encrypted HTTPS environment. Let’s Encrypt simplifies the cumbersome—and potentially expensive—process of obtaining and installing a Transport Layer Security (TLS) certificate from a trusted authority in order to encrypt web traffic. TLS is the updated version of the Secure Sockets Layer (SSL) encryption model, an earlier method for encrypting web traffic that has since been deprecated and is no longer in widespread use. On Sept. 14, 2015, Let’s Encrypt issued its first certificate, marking a major milestone in the project, which is now run by the newly created nonprofit organization ISRG (Internet Security Research Group). Major sponsors offer support, including Mozilla, Akamai, Cisco, EFF, IdenTrust, Automattic, Shopify, and the American Library Association’s Office for Intellectual Freedom.

Why HTTPS Matters

Although the internet has made progress over the past 2 decades in moving to environments in which HTTPS has become the norm for logins and payment transactions, many websites still encrypt only particular pages. Increasingly, information security best practices encourage encryption for all traffic—not just for pages through which sensitive information, such as login credentials or credit card numbers, is being transmitted—in order to eliminate session hijacking attacks and enhance overall privacy. However, in the current environment, acquiring and installing a TLS certificate can be a cumbersome and costly process, which leads to many websites not using HTTPS and leaving their traffic exposed.

Acquiring a TLS Certificate the Traditional Way

Even experienced systems administrators often cringe at the confusing and constantly changing process of installing a certificate on domains for which they are responsible. First, they must create a Certificate Signing Request (CSR), a specially formatted cryptographic document that contains details about the company and the server to be protected. The CSR is then sent to a certificate authority (CA), along with payment, to generate a certificate. Costs for such certificates range from around $10 to $100 per year.

Much of the cost associated with the traditional certificate model lies in the validation the issuing CA must perform before creating a certificate. Depending on the type of certificate requested, the CA will verify the requester’s identity in a variety of ways. Low-cost domain validation certificates typically warrant only an email to the registered owner of the domain, whereas Extended Validation (EV) certificates usually lead to far more in-depth background checks, involving D&B lookups, phone calls, or even requests for notarized copies of passports or driver’s licenses. High-profile ecommerce and banking sites increasingly are using EV certificates to establish customer trust, because they are indicated by a green lock symbol in the URL bar (making them easy to recognize).

After the customer’s identity has been validated, the CA issues a certificate. Usually in the form of a small text file, it must then be manually loaded into the back-end configuration of the website’s server. This procedure is often exceedingly frustrating because different types of web server software, and often even different versions of the same software, have various requirements for the naming, storage location, and format of these certificates. Loading the certificate isn’t even the end of the task; TLS certificates have a limited lifetime—typically 1 or 2 years—after which time the process must be repeated. If a site operator forgets to renew a certificate, users will be greeted with an impossible-to-miss warning message when they attempt to connect to the site. Google’s Chrome browser, for instance, warns, “Your connection is not private. Attackers might be trying to steal your information … (for example, passwords, messages, or credit cards)” if a certificate is not valid or has expired.

Let’s Encrypt: Simplifying and Automating the Process

Let’s Encrypt aims to simplify and automate this entire process. Site operators simply need to install the letsencrypt tool on the web servers for which they are responsible. As the tool gains popularity, most web hosting companies likely will pre-install letsencrypt for their clients. The tool automates all of the steps outlined previously, starting with generating the CSR and ending with activating the final certificate. It even keeps track of the expiration date of certificates and automatically requests, downloads, and installs new certificates when expiration dates draw near. In addition, the whole process is free for users.

Let’s Encrypt’s full-scale rollout is currently slated for the week of Nov. 16, 2015.

Community Support for Let’s Encrypt

Although Let’s Encrypt is still a new endeavor, it is already generating a tremendous amount of support from the information security and privacy communities. The Let’s Encrypt community space encourages participants to ask questions and share insights on a range of highly technical as well as philosophical issues. But as is the case with many open source projects, Let’s Encrypt won’t have a 24/7 call center where users can ask questions. Instead, website operators will need to rely on the community for support.

Transitioning to a More Secure Internet

With the increasing sensitivities to privacy on the internet, fueled in large part by the Edward Snowden revelations, the tech industry has been responding by expanding the use of encryption in consumer products. For instance, in late 2014, Google announced changes to its search algorithms to boost rankings for sites using TLS—as the company indicated on its security blog, “[W]e’re starting to use HTTPS as a ranking signal.” Let’s Encrypt is a direct result of these changing demands for increasing privacy and security. As Google and others call for “HTTPS Everywhere,” we should expect to see a big push for encryption for all web-based communication, making initiatives such as Let’s Encrypt critical pieces of the new infrastructure.


Abby Clobridge is the founder of and principal consultant at FireOak Strategies (formerly Clobridge Consulting), a boutique firm specializing in knowledge management, information management, and open knowledge (open access, open data, open education). Abby has worked with a wide range of organizations throughout the world, including various United Nations agencies; private sector companies; colleges and research universities; nonprofit, intergovernmental, and multi-stakeholder organizations; and the news media. She can be found on Twitter (@aclobridge).

Email Abby Clobridge

Related Articles

6/20/2013The Electronic Frontier Foundation Objects to W3C HTML5 Standards
8/4/2015Organizations Introduce New Do Not Track Policy for Internet Browsing
11/10/2015Design Standards Take Federal Websites to New Levels of Usability
11/19/2015FastMail Acquires Email Services
12/3/2015EFF Brings Awareness to Google Privacy Practices
7/28/2016Chinese Company Buys Opera Browser
1/26/2017ByWater Solutions Provides Customers With Free SSL Certificates
5/4/2017USPTO Reports Encryption Issue
8/1/2017Nimbus Hosting Provides Guidance on Switching to HTTPS


Comments Add A Comment

              Back to top