A consortium called the Internet Security Research Group, founded by Mozilla, Akamai, Cisco, the Electronic Frontier Foundation, IdenTrust, and researchers at the University of Michigan, have announced the Let's Encrypt initiative. Beginning in summer 2015, Let's Encrypt will provide free server certificates allowing website operators to provide encrypted sessions without the hassle of a click-through in browsers to accept a self-signed certificate.
At present, obtaining a server certificate typically requires a complicated registration form, a difficult process of installing the certificate on your server, the potential for the certificate to expire, and the comparatively steep price of having a certificate issued, typically around $100 per year. According to Josh Aas, the executive director of Let's Encrypt:
"Every browser in every device supports it. Every server in every data center supports it. Why don't we just flip the switch? The challenge is server certificates. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It's tricky to install correctly. It's a pain to update."
Let's Encrypt seeks to change that with use of the ACME protocol, which is planned to be submitted to the Internet Engineering Task Force (IETF) to become recognized as a free standard. This requires the installation of a small certificate manager, which can be done easily using a package manager. As indicated by Let's Encrypt, setting up HTTPS for a given website is as easy as these two commands:
$ sudo apt-get install lets-encrypt $ lets-encrypt example.com
This is hardly a challenge, compared to the laborious task required to getting a certificate through traditional methods. Anyone with five minutes of Linux experience can do it.
The delays between the announcement and the rollout of the Let's Encrypt service are intended to allow for further development of the ACME protocol and the installable certificate management service.
Not the first attempt at this
In late September 2014, cloud caching operator CloudFlare introduced a similar measure called Universal SSL, which provides HTTPS connections for CloudFlare customers, even users at the free tier. From the user-to-CloudFlare end, this access is encrypted without additional action taken by the site operator, though installation of a certificate for server-to-CloudFlare connections is still required. More of an encumbrance than a limitation is the lack of ECSDA support — used in CloudFlare's implementation — in Internet Explorer 6 and Android versions before 4.0 (Ice Cream Sandwich).
A renewed interest in security
With Verizon using "super cookies" to monitor users' activities for advertisement tracking purposes, and ISPs removing encryption from their webmail services, along with the security concerns that have arisen from mass monitoring for law enforcement purposes, a more concerted effort is being undertaken to encrypt the internet to prevent the interception of communication.
These endeavors include HTTPS Everywhere, a browser extension provided by the EFF that automatically enabled encrypted sessions on websites that support it. The IETF has also urged operators to default to encryption for all communications.
What about you?
Have you added HTTPS to your deployed websites because of privacy concerns? Do you use a plugin such as HTTPS Everywhere for your browser? Let us know in the comments.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.