Let's Encrypt Effort Aims to Improve Internet Security

http://www.eweek.com/security/lets-encrypt-effort-aims-to-improve-internet-security.html

Cisco, Akamai, Electronic Frontier Foundation, Mozilla and others join together in a new effort to expand cryptography use on the Web.

In the quest for improved user security on the Internet, encryption is a key tool, though it hasn't always been easy to use and deploy. Today, a group of organizations—including Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan—joined with the Internet Security Research Group (ISRG) to announce the Let's Encrypt initiative. The goal behind Let's Encrypt is to make it easier to get a proper Secure Sockets Layer/Transfer Layer Security (SSL/TLS) certificate that can be deployed to secure a Web server and its users. Let's Encrypt is aiming to deploy a free certificate authority at letsencrypt.org  that will provide the certificate, as well as be a source to verify the certificate's integrity and authenticity. While the Let's Encrypt effort is being announced today, the free Certificate Authority service will not be generally available until early in 2015. Today, server administrators can choose to deploy their own self-signed SSL/TLS certificates that are free to generate. The major stumbling block for self-signed certificates is that, unfortunately, they fundamentally provide zero authentication assurance, said Stephen Ludin, chief architect, Akamai and ISRG board member. "A browser will and/or should throw up a warning encouraging the user to not trust the site as there is no way to tell if the site you are accessing is really who they say they are," Ludin told eWEEK. "In the case of ISRG and the Let's Encrypt initiative, the certificates generated are legitimate certs and will be trusted by a significant percentage of browsers right out of the gate."

 

How to Deal with Today's Multi-Platform, Multi-Vendor Patch Management Mess

Download Now

For a certificate authority to be trusted by a browser, it needs to be included in the browser's root chain of trust.

Let's Encrypt is planning to apply to all major root programs, including Mozilla's, just like any other certificate authority, Josh Aas, ISRG executive director, said.  "We don't foresee any particular issues with our applications, as we plan to fully comply with requirements, including the baseline requirements," Aas told eWEEK. There are multiple types of SSL/TLS certificates that certificate authorities typically issue. Aas explained that Let's Encrypt is only planning to issue domain-validated (DV) certificates since those are the only certificates it can issue via an entirely automated process. For the Electronic Frontier Foundation (EFF), Let's Encrypt aligns well with a multiyear effort to expand the use of encryption on the Web. Peter Eckersley, technology projects director at the EFF, explained to eWEEK that in 2009 his organization started a long-term campaign to Encrypt the Web and began by encouraging companies, including Google, Facebook, Twitter, Wikipedia, Craigslist and other major Websites to deploy HTTPS and have it on by default. The EFF has also launched tools, including HTTPS Everywhere, a browser extension for helping users to ensure they are on secure versions of the sites they visit. "We also launched projects, including the SSL Observatory and a scorecard to promote HSTS [HTTP Strict Transport Security], to ensure that HTTPS actually delivered the security it was supposed to," Eckersley said. "The long-term aim of our campaign was always to switch the Web's default protocol to ensure that our browsing was always protected against surveillance, censorship and account hijacking." Eckersley added that the EFF realized that the lack of a free automated certificate authority was a roadblock for wider deployment of HTTPS. As such, the EFF started working with a team at the University of Michigan to create one.  "When we learned that Mozilla had a similar effort under way, we joined forces with them—and subsequently with Cisco, Akamai and Identrust—to create Let's Encrypt," Eckersley said. Alex Polvi, CEO of CoreOS, is also involved in the effort and currently serves on the board of directors for ISRG. From Akamai's perspective, participation in the Let's Encrypt effort is about removing the excuses for not moving to TLS, Ludin said.  He added that his expectation is that ISRG will be successful and become the primary provider for highly respected and affordable TLS certificates.  The EFF's Eckersley is also optimistic about the impact that the Let's Encrypt effort will have. "After launch in 2015, we believe we should be able to protect millions of Websites in short order," he said. The aim of Let's Encrypt is to ensure that a simple command or single button is available in all the major OSes and hosting platforms for deployment, Eckersley said.
"We're going to be working intensively with the folks who make your operating system, the folks who host your Website, to integrate this automatic security pipeline," Eckersley said. "To Websites that have been struggling with HTTPS, and Internet users who are frustrated by a lack of privacy and security, we have a simple message: Help is on the way."