A new initiative set to begin in 2015 aims to encrypt the entire web.
Let’s Encrypt is a new certificate authority (CA) that will offer free digital certificates and configuration tools to websites. More certificates will help facilitate a greater deployment of the HTTPS protocol across the Internet.
The CA is the project of the Internet Security Research Group (ISRG), a California public benefit company comprised of diverse corporations, non-profits and industry leaders including Mozilla, Cisco, and the Electronic Frontier Foundation.
Many websites currently use the HTTP protocol, a standard which inherently exposes site owners to a number of threats including cyber espionage, keyword-based censorship, account hijacking, and a host of web application attacks such as SQLi and XSS.
It is currently very difficult for websites to transition to HTTPS. According to the ISRG, “Getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.”
Let’s Encrypt wants to change this. Beginning next year, the CA will allow websites to enable SSL/TSL freely and using only two simple shell commands.
Additionally, it will employ a number of new technologies, including an Automated Certificate Management Environment (ACME) protocol, to assist with domain verification.
Some are wary of the initiative’s unexpected consequences. For instance, Kevin Bocek, vice president of security strategy and threat intelligence at certificate-management firm Venafi, fears that the influx of certificates will just give additional targets to cybercriminals, resulting in more spoofed websites and man-in-the-middle attacks.
Even so, hopes are high for Let’s Encrypt. Web developers who want to test the service can do so on GitHub, where its code is publicly available.
Anyone interested in learning more about the CA can also watch a demo produced by the Electronic Frontier Foundation here