The continued march toward encrypting every online connection hit a noteworthy milestone last night when Let’s Encrypt announced that it was officially a Certificate Authority.
Let’s Encrypt is an open source movement to make HTTPS implementations simple and free of cost for domain owners. A month ago, Let’s Encrypt issued its first automated certificate and it promised then to have the beta certs it’s issued so far become valid and trusted in all major browsers.
Let’s Encrypt’s partner on this, IdenTrust, provided the cross-signatures necessary for this to happen, and now anyone surfing sites secured with a Let’s Encrypt certificate would not require a special configuration to access the site. Let’s Encrypt is now part of the IdenTrust certificate chain, signifying that it too can be trusted as a CA going forward.
“The certificates issued in the beta will be ‘real’ and will be accepted by browsers. Our service should be available to the public the week of Nov. 21, and will be free of charge, including for commercial uses,” said Electronic Frontier Foundation (EFF) staff technologist Seth David Shoen. “It was a lot of work to get to this point. The PKI system famously has a lot of bureaucracy and we had to draft a lot of policy documents.”
A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is overseen by a California non-profit called Internet Security Research Group (ISRG).
Since the Snowden revelations began in earnest more than two years ago, technology providers have accelerated efforts to make HTTPS the default online.
“I think Let’s Encrypt will be transformative for web security, because anyone will be able to enable HTTPS on their web site for free in about a minute,” Schoen said. “I think we’ll provide the opportunity for a lot of infrastructure providers to change the default and start offering HTTPS by default for all their users. It will still take some more infrastructure work to interoperate smoothly with every platform and
environment, but having the back-end CA in place is the most difficult step, and now it exists.”
The Let’s Encrypt movement has had a steady cadence in its approach to this milestone, starting with the technology companies standing it up, to its partnership with IdenTrust, to the arduous construction of a secure infrastructure to house the encryption keys and hardware security modules pertinent to the project. Let’s Encrypt also had to build a trustworthy authentication mechanism, EFF chief computer scientist Peter Eckersley told Threatpost last month. The mechanism is called Boulder and is written on a new protocol called ACME, short for Automated Certificate Management Environment.
“This allows people to make automated requests for certs, and allows CAs to respond with a list of challenges before a cert is issued,” Eckersley said.
Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.
Let’s Encrypt is hosting a demo site where one of its newly accepted certs is working in the real world. Users can also view the chain, which includes three certs,” Schoen said.
“The root is “DST Root CA X3”, which is the name of one of the root CA certificates owned by IdenTrust. The newly issued thing in the middle is “Let’s Encrypt Authority X1″, which is the name of our intermediate CA, and if you click on it you see a digital certificate from DST Root CA X3 that says that Let’s Encrypt Authority X1 is a real CA,” Schoen said. “At the bottom is the end-entity certificate issued by Let’s Encrypt Authority X1 which describes the cryptographic key used by the site “helloworld.letsencrypt.org“. Because the middle link in the chain was created yesterday, the browser will accept what Let’s Encrypt Authority X1 said about this site.”