Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode
Most websites don't display that little lock icon in the URL line. But in a world festering with cyberthreats and online fraud, they probably should.
Let's Encrypt, a nonprofit Certificate Authority still in development, aims to foster a safer World Wide Web by making the process of obtaining the TLS certificates (certificates that earn the URL icon) that protect data flowing between users and websites both simple and free.
The project, revealed out of stealth mode on Tuesday to encourage public feedback, is the work of a nonprofit formed earlier this year called the Internet Security Research Group (ISRG) and some heavyweight sponsors: Mozilla, Cisco, Akamai Technologies and IdenTrust, a consortium of some of the world's largest banks. The Electronic Freedom Foundation also is involved in the effort to offer web administrators an easier way to protect their users from intrusion.
[Related: Microsoft Revokes Digital Certs To Guard Against Possible Attacks, Surveillance]
Josh Aas, currently acting as ISRG's executive director, told CRN that most websites aren't using any encryption at all -- neither SSL, which no longer is considered secure, nor the TLS protocol, which offers the latest-and-greatest protection.
"When you are not using these, information you are exchanging with the web server is sent in the clear," he said.
The web is more complicated than many realize, Aas explained. Users don't always know that simple actions, such as hitting a "Like" button on a web page while logged into Facebook, can expose private information to sinister eyes.
Because of the complexity of today's web, encryption needs to be the default, Aas said.
Alex Polvi, CEO of CoreOS and a founding member of ISRG, told CRN that Let's Encrypt is "a big game-changer for Internet security."
"This just hasn't been done before in this way. Today, it costs money to secure your website. But we'll let everyone have it for free. That will create a more secure Internet," Polvi said.
Let's Encrypt automates the process of issuing a digital certificate "to show who you are is who you say you are," Aas said.
The current process of obtaining a certificate and installing it on a web server can be onerous, he said.
"For many people, it's hard to know how to get a TLS certificate. You have to know where to get one, who to get it from, then how to apply for it, then install it and configure it on your web server," Aas told CRN.
"That can be a lot of stuff, and can be pretty intimidating even for someone who knows their way around a web server," Aas added.
But once released, Let's Encrypt will reduce the whole process to a single step through automation, making it easier for all to deploy TLS technology.
It was important to make the service free, Aas said, not just to avoid a cost barrier, but also to simplify the deployment process by removing any billing interaction. For that reason, Let's Encrypt is funded by its sponsors.
"They all support our mission; they want to help support the Internet by making it more secure," Aas said.
Let's Encrypt started as a side project by developers at Mozilla. That project merged with one being undertaken by researchers at the University of Michigan, who were working on a similar endeavor.
The nonprofit Certificate Authority should be ready to go live somewhere near the end of the second quarter of 2015.
PUBLISHED NOV. 18, 2014