The Electronic Frontier Foundation, along with a coalition of tech companies, organizations and researchers, have announced Let’s Encrypt: a new certificate authority (CA) initiative to implement the HTTPS encryption and communications protocol across the entire Web.
Let’s Encrypt, which is also backed by Akamai, Cisco, IdenTrust, Mozilla and University of Michigan researchers, is intended as a large-scale effort to clear the remaining Internet-wide roadblocks to transitioning from HTTP to HTTP Secure (HTTPS), and to encrypt every website with HTTPS by default. According to the EFF news release, the CA initiative will focus on reducing the complexity of implementing HTTPS by simplifying the process of obtaining, installing and managing HTTPS certificates.
For Web developers, this means a much shorter setup time for HTTPS—several hours reduced to 20-30 seconds—and several new Web technologies to help developers automate and secure HTTPS protocols on their sites and Web applications.
A new open-source protocol called ACME will help support stronger domain validation, and a combination of certificate datasets (such as the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io and Google’s Certificate Transparency log) will aid in assessing HTTPS certificate security. A new nonprofit organization called the Internet Security Research Group (ISRG) will manage the CA initiative.
“With our client software, which speaks ACME to the Let’s Encrypt API servers, developers can set up [Transport Layer Security] simply by providing a domain name,” ISRG executive director Joshua Aas told SD Times. “There are, and will be, more-advanced options providing more control.”
Aas said developers looking to get involved with Let’s Encrypt should start by checking out CA specifications and software on GitHub, including the Let’s Encrypt developer preview. The ISRG is looking for developer feedback on use cases, the tool’s user interface and behavior, and the protocol itself.
“Each specification and piece of software has its own repository and issues tracker,” Aas said. “Developers can help by filing new issues and resolving existing issues. As we move forward, we’ll add more infrastructure for developer interaction.”
Let’s Encrypt has set a launch date of summer 2015, and in the meantime the ISRG will be writing software, installing hardware, working to pass audits, and building an open-source community around the certificate authority. According to Aas, the ISRG hopes to accelerate the adoption rate of Web-wide HTTPS deployment within the next year before the official launch.
Ultimately, Aas, the ISRG and the entire coalition behind Let’s Encrypt are working toward changing attitudes about the Internet-wide importance and priority of HTTPS.
“We’d like to see Web developers and system administrators view secure and encrypted communication as the default mode of operation,” Aas said. “Right now, for example, HTTP is the default and HTTPS is considered to be an optional feature. That needs to change, and similar changes in terms of choosing security by default probably need to be made in other parts of the Web development stack as well.”
More information is available on the Let’s Encrypt website.