Security

Let's Encrypt Could Secure All Web Sites Free and Easily

• By Dian Schaffhauser
• 11/20/14

By next summer, every Web site could start encrypting its communications free and easily. That's the idea behind a new consortium effort. "Let's Encrypt" is the brainchild of J. Alex Halderman, a computer science professor at the University of Michigan and director of U Michigan's Center for Computer Security and Society. Halderman has persuaded other academics, non-profits and corporate members to work together to develop a new certificate authority to enable more sites to run on HTTPS, the cryptographic protocol used to protect Web traffic most often seen on shopping sites.

As Halderman explained in a blog entry, the reason more Web sites don't use HTTPS is because "it's too difficult...to set up and maintain." The process involves purchasing a digital certificate from a certificate authority that does identity-checking to confirm that a domain name belongs to the buyer and that a user's browser can trust the organization. Fees must be renewed every year. Once site operators have their certificates, they must "generate crypto keys, validate the site's identity, retrieve a certificate and configure their server to use it." These manual steps are "prone to human error," which means that a number of HTTPS sites actually have configuration problems that put their security at risk.

Let's Encrypt is expected to automate the process of obtaining, managing and renewing the security certificates.

Halderman enlisted support from a number of organizations to come up with a free, automated and open Web site HTTPS encryption. Currently, Firefox creator Mozilla, Cisco, Akamai, the Electronic Frontier Foundation (EFF) and IdenTrust SSL are sponsoring the project.

"Anything you do on the Web is visible to network-based attackers if you're using regular HTTP," said Halderman. "Attackers can potentially spy on everything you're accessing, modify what you see, alter programs you download to make them malicious, or take over the Web site account you're logged in under. But HTTPS is a fundamental protection against these attacks, and what we're doing with Let's Encrypt is trying to make HTTPS ubiquitous."

According to EFF, "it typically takes a Web developer one to three hours to enable encryption for the first time." Let's Encrypt could reduce setup time to between 20 and 30 seconds.