dslreports logo
 story category
EFF, Mozilla Launch New Free Security Certificate Authority

The EFF this week unveiled Let’s Encrypt, a new certificate authority (CA) initiative the company is building alongside Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan. According to an EFF blog post, Let's Encrypt aims to speed up the deployment of HTTPS by automatically issuing and managing free certificates for any website that needs them. The group states that switching a webserver from HTTP to HTTPS with their CA will be a one-click affair.

Click for full size
"The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires," states the EFF. The high number of broken certificate warnings are thanks to what the EFF calls a "structurally dysfunctional bureaucracy."

Let's Encrypt aims to fix this through a transparent, cooperative, automatic and free infrastructure that will be overseen by a new non-profit named the Internet Security Research Group.

"Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates," states the EFF. "We will use a protocol we’re developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue."

The project is expected to get off the ground sometime in the summer of 2015.


Most recommended from 28 comments



camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

4 recommendations

camper

Premium Member

Encrypt, not authenticate

 
The name of the project is "Let's Encrypt", not "Let's Authenticate the Site Owner".

While I agree completely with the comments about fraudsters, the main purpose of the Let's Encrypt project is to encrypt the communications between the user and the website.

The first sentence on the Let's Encrypt website currently says:
Vital personal and business information flows over the Internet more frequently than ever, and we don't always know when it's happening. It's clear at this point that encrypting is something all of us should be doing....
 
Extensive website owner authentication to eliminate fraudsters is another problem to be solved, separately from encryption. Let's not conflate the two.

phxmark
What Country Are We Living In?
join:2000-12-27
Glendale, AZ

2 recommendations

phxmark

Member

Thawte

I remember when Thawte had FREE certificates and then they slowly morphed into PAID certificates. Let's hope this remains truly free.

I am sure the big CAs, like Verisign, Network Solutions and others will somehow put pressure on Mozilla to start charging for certs in the future.

I truly believe that certificates should be free for non-profits, school districts and individuals not running a business.