Let’s Encrypt, a movement to issue free and automated HTTPS certificates, today hit a major milestone when its first cert went live.
The desire to encrypt web-based services has accelerated projects such as Let’s Encrypt, which was announced last November, and promised by the close of this summer to get the ball rolling on making free certs easily available.
“The lack of free automated certs has been the largest puzzle piece stopping the web from being HTTPS by default,” said Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation (EFF). “We are extremely excited that we are finally slotting in that missing piece of puzzle.”
A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is open source and overseen by a California non-profit called Internet Security Research Group (ISRG).
The goal of Let’s Encrypt is to make HTTPS implementations simple and free for domain owners.
“In order to become a Certificate Authority, you need a lot of specialized infrastructure and security mechanisms in place, and a lot of paperwork to document that those processes have been audited, that your backup processes have been audited and your failsafes have been audited,” Eckersley said. “This is a sign that Let’s Encrypt has done all of that homework.”
Eckersley said that the project is on track within a month to have its beta certs that have been issued become valid in browsers. IdenTrust is providing Let’s Encrypt with the cross-signature it needs in order to become a CA for existing browsers and software.
Finding that partner was one of the first challenges Let’s Encrypt had to meet, followed closely by the construction of a secure infrastructure where keys and hardware security modules are stored in secure locations and having a sturdy network to protecting them. Eckersley said Let’s Encrypt also has a second line of defense in place that alerts about potential compromises and enables the project to recover quickly if it’s attacked.
“In our case because we are not issuing certs with human involvement, we had to build a trustworthy authentication mechanism,” Eckersley said. The mechanism, called Boulder, was written on top of a new protocol called ACME [Automated Certificate Management Environment]. “This allows people to make automated requests for certs, and allows CAs to respond with a list of challenges before a cert is issued.”
Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.
“We expect to have a spectrum of users from small web developers who run their own sites to those hosting dozens of sites on a UNIX box with Apache, to serious infrastructure—hosting providers,” Eckersley said.
Josh Aas, executive director of the ISRG, said the cross-signature is not in place yet for Let’s Encrypt, but the first cert works if the ISRG root is installed in the trusted root store.
“When we are cross signed, approximately a month from now, our certificates will work just about anywhere while our root propagates,” Aas said, adding that Let’s Encrypt has already submitted initial applications to the Google, Mozilla, Apple and Microsoft root programs.
“Anyone who cares deeply for Web security should be celebrating today,” wrote Rainey Reitman, EFF activism director, on the organization’s website.
