Let’s Encrypt Hits Another Free HTTPS Milestone

Let’s Encrypt hit a milestone last night when it received the cross-signatures necessary to render its beta-and free-certificates trusted by all browsers.

The continued march toward encrypting every online connection hit a noteworthy milestone last night when Let’s Encrypt announced that it was officially a Certificate Authority.

Let’s Encrypt is an open source movement to make HTTPS implementations simple and free of cost for domain owners. A month ago, Let’s Encrypt issued its first automated certificate and it promised then to have the beta certs it’s issued so far become valid and trusted in all major browsers.

Let’s Encrypt’s partner on this, IdenTrust, provided the cross-signatures necessary for this to happen, and now anyone surfing sites secured with a Let’s Encrypt certificate would not require a special configuration to access the site. Let’s Encrypt is now part of the IdenTrust certificate chain, signifying that it too can be trusted as a CA going forward.

“The certificates issued in the beta will be ‘real’ and will be accepted by browsers.  Our service should be available to the public the week of Nov. 21, and will be free of charge, including for commercial uses,” said Electronic Frontier Foundation (EFF) staff technologist Seth David Shoen. “It was a lot of work to get to this point.  The PKI system famously has a lot of bureaucracy and we had to draft a lot of policy documents.”

A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is overseen by a California non-profit called Internet Security Research Group (ISRG).

Since the Snowden revelations began in earnest more than two years ago, technology providers have accelerated efforts to make HTTPS the default online.

“I think Let’s Encrypt will be transformative for web security, because anyone will be able to enable HTTPS on their web site for free in about a minute,” Schoen said. “I think we’ll provide the opportunity for a lot of infrastructure providers to change the default and start offering HTTPS by default for all their users.  It will still take some more infrastructure work to interoperate smoothly with every platform and
environment, but having the back-end CA in place is the most difficult step, and now it exists.”

The Let’s Encrypt movement has had a steady cadence in its approach to this milestone, starting with the technology companies standing it up, to its partnership with IdenTrust, to the arduous construction of a secure infrastructure to house the encryption keys and hardware security modules pertinent to the project. Let’s Encrypt also had to build a trustworthy authentication mechanism, EFF chief computer scientist Peter Eckersley told Threatpost last month. The mechanism is called Boulder and is written on a new protocol called ACME, short for Automated Certificate Management Environment.

“This allows people to make automated requests for certs, and allows CAs to respond with a list of challenges before a cert is issued,” Eckersley said.

Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version.

Let’s Encrypt is hosting a demo site where one of its newly accepted certs is working in the real world. Users can also view the chain, which includes three certs,” Schoen said.

“The root is “DST Root CA X3”, which is the name of one of the root CA certificates owned by IdenTrust.  The newly issued thing in the middle is “Let’s Encrypt Authority X1″, which is the name of our intermediate CA, and if you click on it you see a digital certificate from DST Root CA X3 that says that Let’s Encrypt Authority X1 is a real CA,” Schoen said. “At the bottom is the end-entity certificate issued by Let’s Encrypt Authority X1 which describes the cryptographic key used by the site “helloworld.letsencrypt.org“.  Because the middle link in the chain was created yesterday, the browser will accept what Let’s Encrypt Authority X1 said about this site.”

Suggested articles

Discussion

  • Brian M on

    Encrypting everything is just plain silly! There is no need. Yes encryption is vital when you have something that needs to be kept secret, otherwise why bother? Two other powerful reasons why its a bad idea 1. The more encrypted data you have floating about especially when the listener has a good idea of what the un-encoded data is, then its likely to make the breakers job easier, not easy by any means, just easier. 2.Users will assume everything is encrypted and safe, but it may well be a false sense of security. Codes can be leaked, hacked or legally obtained. If anyone really believes certificates are secure especially against government actors, then they are living in a fools paradise - their clouds are all white and fluffy! Then the final problem is speed - there is a definite slowness on encrypted sites, especially on less than new machines and slow connections. Also the more samples of encrypted data you have out there Have more than a suspicion this will probably makes us all less secure.
    • Jeff on

      Brian - Your arguments are not sound. I am unaware of any true and tried current encryption mechanism that has been broken because someone knew what the source "was like." I have only read about the flaws in the encryption protocols themselves that have been / can be exploited. So my question is are you talking about data at rest instead of data in motion? Any good encryption mechanism will look completely random so there is no way for you to tell whether or not you are looking at a MP3 file, a Word document or any other type of file. Let me put your theory to work though. Let's say I have 10,000 encrypted hard drives (encrypted at the hardware level). All they contain are Word documents that tell us how to rid the world of disease (pick any file type). I know what is on them and I want access to them. Does knowing what is on there help me in any way to break the encryption?
    • Khürt Williams on

      "Yes encryption is vital when you have something that needs to be kept secret, otherwise why bother?" Exactly! But ... are you the one who gets to decides what is a secret for me?
  • EricO on

    OK, reasons to encrypt everything; Let's say you want to steal a copy of my diary. Assume there's a weakness in my encryption that would allow you to get in if given 24 hours of computing resources. If I encrypt every message I send, you'll be busy searching and searching and you'll always be working a backlog. My security is improved because you likely would be unable to keep up. I can create more messages and faster than you can decipher. (Unless you have the NSA budget)... So let's everyone encrypt and I mean everyone, every message and bust the budget or possibly discover the budget.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.