With goal of universal HTTPS, Let’s Encrypt reaches important milestone

Share this…

Free service backed by EFF is now trusted by all major browsers.

A nonprofit effort aimed at encrypting the entire Web has reached an important milestone: its HTTPS certificates are now trusted by all major browsers.

The service, which is backed by the Electronic Frontier Foundation, Mozilla, Cisco Systems, and Akamai, is known as Let’s Encrypt. As Ars reported last year, the group will offer free HTTPS certificates to anyone who owns a domain name. Let’s Encrypt promises to provide open source tools that automate processes for both applying for and receiving the credential and configuring a website to use it securely.

HTTPS uses the transport layer security or secure sockets layer protocols to secure websites in two important ways. First, it encrypts communications passing between visitors and the Web server so they can’t be read or modified by anyone who may be monitoring the connection. Second, in the case of bare bones certificates, it cryptographically proves that a server belongs to the same organization or person with control over the domain, rather than an imposter posing as that organization. (Extended validation certificates go a step beyond by authenticating the identity of the organization or individual.)

With goal of universal HTTPS, Let’s Encrypt reaches important milestone

Privacy and security advocates have long pushed all websites to offer front-to-end HTTPS protection for all their pages, and the benefits are obvious. The regular occurrence of man-in-the-middle attacks that hijack huge chunks of Internet traffic is one good reason for universal HTTPS. When these types of attacks happen, HTTPS prevents the attackers from reading the diverted traffic or inserting malware into it once it’s forwarded to its final destination.

More recently, revelations from former National Security Agency subcontractor Edward Snowden about indiscriminate surveillance have brought new urgency to the push for widespread Web encryption. Let’s Encrypt was born out of this.

The service plans to open to the public on November 16.

Post updated in third paragraph to better explain how HTTPS works.

I would love to see this extended to identity certificates. It would be a huge step forward in the widespread acceptance of digitally signed documents. Seriously, why do I still have to print, sign, and fax in the year 2015?

It literally can’t be extended to identity validation at this time, as identity validation requires processes that are impossible to complete automatically*. See Section 3.2 of the requirements for CAs for more info.

* It’s a bit more nuanced than that, as different fields in the certificate require different validation procedures. Validating the countryName field for instance can be done automatically since that is based on IP range (easy to obtain via DNS lookups or who is submitting the request), but the only way to automate validating a business name/address or DBA/tradename field is to have a periodically-updated “Reliable Data Source” maintained by a third-party, which while doable isn’t under the scope of Let’s Encrypt just yet. I’d love it if someone else donated their db for free public use (so that one can verify that Let’s Encrypt is getting valid data, even if the data collection methods are hidden having the data itself public still mostly aligns with the spirit of Open Source; although it’d be the best if the data collection methods/scripts were also made available), but I don’t know if any such things exist. I don’t believe the EFF can champion their own database because of their relationship with Let’s Encrypt (by the requirements, it cannot be a Reliable Data Source unless it is being maintained by a third party: “Databases maintained by the CA, its owner, or its affiliated companies do not qualify as a Reliable Data Source if the primary purpose of the database is to collect information for the purpose of fulfilling the validation requirements under this Section 3.2.”). In any case, this would only help businesses as to verify the identity of an actual person verification of a government-issued photo id is required, including checking it for forgery or falsification).