Let's Encrypt Could Secure All Web Sites Free and Easily -- Campus Technology

Cybersecurity

Let's Encrypt Could Secure All Web Sites Free and Easily

By Dian Schaffhauser
11/20/14

By next summer, every Web site could start encrypting its communications free and easily. That's the idea behind a new consortium effort. "Let's Encrypt" is the brainchild of J. Alex Halderman, a computer science professor at the University of Michigan and director of U Michigan's Center for Computer Security and Society. Halderman has persuaded other academics, non-profits and corporate members to work together to develop a new certificate authority to enable more sites to run on HTTPS, the cryptographic protocol used to protect Web traffic most often seen on shopping sites.

As Halderman explained in a blog entry, the reason more Web sites don't use HTTPS is because "it's too difficult...to set up and maintain." The process involves purchasing a digital certificate from a certificate authority that does identity-checking to confirm that a domain name belongs to the buyer and that a user's browser can trust the organization. Fees must be renewed every year. Once site operators have their certificates, they must "generate crypto keys, validate the site's identity, retrieve a certificate and configure their server to use it." These manual steps are "prone to human error," which means that a number of HTTPS sites actually have configuration problems that put their security at risk.

Let's Encrypt is expected to automate the process of obtaining, managing and renewing the security certificates.

Halderman enlisted support from a number of organizations to come up with a free, automated and open Web site HTTPS encryption. Currently, Firefox creator Mozilla, Cisco, Akamai, the Electronic Frontier Foundation (EFF) and IdenTrust SSL are sponsoring the project.

"Anything you do on the Web is visible to network-based attackers if you're using regular HTTP," said Halderman. "Attackers can potentially spy on everything you're accessing, modify what you see, alter programs you download to make them malicious, or take over the Web site account you're logged in under. But HTTPS is a fundamental protection against these attacks, and what we're doing with Let's Encrypt is trying to make HTTPS ubiquitous."

According to EFF, "it typically takes a Web developer one to three hours to enable encryption for the first time." Let's Encrypt could reduce setup time to between 20 and 30 seconds.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

E-Mail this page

Printable Format

Featured

Copilot Updates Aim to Make AI More Personal

Microsoft has unveiled a range of updates to its Copilot platform, marking a new phase in its effort to deliver what it calls a "true AI companion" that adapts to individual users' needs, preferences and routines.
New Turnitin Product Brings AI-Powered Tools to Students with Instructor Guardrails

Academic integrity solution provider Turnitin has introduced Turnitin Clarity, a paid add-on for Turnitin Feedback Studio that provides a composition workspace for students with educator-guided AI assistance, AI-generated writing feedback, visibility into integrity insights, and more.
Cal Poly Pomona Launches AI and Innovation Center

In an effort to advance AI innovation, foster community engagement, and prepare students for careers in STEM fields and business, California State Polytechnic University, Pomona has teamed up with AI, cloud, and advisory services provider Avanade to launch a new Avanade AI & Innovation Center.
Training the Next Generation of Space Cybersecurity Experts

CT asked Scott Shackelford, Indiana University professor of law and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, about the possible emergence of space cybersecurity as a separate field that would support changing practices and foster future space cybersecurity leaders.