By all accounts, switching web servers over to HTTPS from HTTP has long been viewed as a fickle affair; HTTPS/SSL certificates are expensive and on top of that notoriously cumbersome to install and maintain.
A new coalition comprised of The Electronic Frontier Foundation (EFF) and a handful of other firms announced today it will address this issue in 2015 by granting free HTTPS certificates to any site that needs one. As part of a new organization called Let’s Encrypt, companies such as Cisco, Mozilla, Akamai, Identrust, with help from researchers at the University of Michigan, will soon join the EFF to safely issue and manage certificates.
The initiative will incorporate technology from all of the companies and will be overseen by a fairly new non-profit based in California, the ISRG (Internet Security Research Group).
As it is the Internet’s current building block, HTTP is fraught with vulnerabilities and in the eyes of many in the security industry has run its course. Users visiting HTTP sites usually open themselves up to a multitude of threats: identity theft, account hijacking, unwanted surveillance and malicious injection.
The initiative should greatly improve upon the now-ubiquitous HTTP protocol and give users a better way to encrypt their sessions on sites, especially when it comes to valuable information being disseminated through banking portals, social media sites and email.
Let’s Encrypt will rely on a protocol called Automated Certificate Management Environment, or ACME, that uses a JSON-over-HTTPS interface. After agreeing to the end-user agreeement, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.
The new CA is also set to borrow technology from the EFF like its Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google’s Transparency Log. All of the tools, to various extents, crawl the internet to monitor certificate-based threats and keep tabs on HTTPS security.
HTTPS certificates can often cost upwards to hundreds of thousands of dollars and webmasters can find themselves stuck in a complex web of bureaucracy – the process can be error-prone and time-consuming – when it comes to getting them implemented.
Let’s Encrypt, which is officially planning on launching next summer, claims it will drastically trim the amount of time it takes to setup a public key certificate to 20 or 30 seconds.
According to the EFF, the certificates that Let’s Encrypt issues will have automatic enrollment and renewal, something that will should ideally curb meddlesome error messages caused by expired certificates. Information pertaining to all of Let’s Encrypt’s certificates, be they issued or revoked, will also be kept in publicly available records.
Root certificates granted by the CA will be cross-signed by Identrust, another CA, until Let’s Encrypt is trusted across more applications.
“We will all be safer online, ” EFF’s Technology Projects Director Peter Eckersley said Tuesday, trumpeting the plan.
“This project should boost everyday data protection for almost anyone who uses the Internet.”