I’m hoping that, by now, you’ve heard of “Let’s Encrypt,” a free project by the non-profit Internet Security Research Group. The project is currently in public beta, but sometime in the new year, we can expect it to launch for everyone. And the timing couldn’t be better.
First, let’s catch everyone up. The EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan got together last year and began building a free way to get a security certificate. If you’ve ever had to deal with a certificate authority, this should come as a great relief.
First of all, Let’s Encrypt is free, so there are no purchase orders to write. Second of all, Let’s Encrypt actually handles the whole process around the certificate, which means they can get you updated certs as soon as they expire.
If you’ve been reading the technology news at all for the past 10 years, you likely know that even Google and Microsoft have let their certs lapse from time to time. This results in users bouncing off your site with warnings that the site may not be valid or may be compromised in some way.
(To be honest, I’ve only ever had that warning pop up for sites with expired certificates; never have I come to a falsified site in the wild, though I am aware they do exist.)
Fortunately, though, Let’s Encrypt really does solve the biggest problems with security certs: renewals and expiration. When you’re in a humongous company that can’t actually pay for things with credit cards, or change anything in an outward-facing server, jumping through the hoops needed to get a valid cert can be incredibly painful.
Let’s hope Let’s Encrypt ends this silliness. Because if Let’s Encrypt can help to end the difficulties surrounding security certificates, maybe it can eventually help us put down the most ridiculous thing that is currently happening in security: the call by the FBI and other American law enforcement organizations for an end to encryption.
The sheer stupidity of this demand clearly shows how un-technically savvy these agencies are. It worries me greatly that the organization tasked with tracking down computer criminals believes that eliminating encryption, or putting backdoors into encryption software, is even a viable option, let alone the answer to their problems.