EFF, Mozilla back new certificate authority that will offer free SSL certificates

The new CA is called Let's Encrypt and its goal is to encourage the widespread adoption of SSL/TLS on the Internet

A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.

The new CA will be called Let's Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.

The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol -- the more secure successor of SSL (Secure Sockets Layer) -- said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.

The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.

The goal is to make getting a certificate as easy as possible, because that's currently the hardest part of turning on TLS, Aas said. With the new CA "there will be no billing interaction, no need to create an account. You don't really need to know much at all except that you want to turn on TLS."

The software used by the CA, as well as the client applications that will help users configure TLS certificates on Web servers like Apache, Nginx and Microsoft IIS, will be open source. The CA plans to operate in a transparent manner, with the certificate issuance and revocation records available to anyone who wishes to inspect them, Aas said.

Some demo software will be made available Tuesday, so that people can start providing feedback. A draft specification for the API (application programming interface) protocol that automates certificate issuance and renewal will also be published today and soon it will be submitted to the Internet Engineering Task Force (IETF) for consideration as an open standard, according to Aas.

Let's Encrypt will go through the same audit processes as other CAs and will follow the CA/Browser Forum's baseline requirements for the issuance and management of digital certificates.

ISRG will apply to have the CA's root certificate accepted into all major root programs like the ones run by Mozilla and Microsoft, so that Web browsers and other software clients will trust certificates issued by the new CA by default. However, this process can take between one and three years, so in the meantime the Let's Encrypt root certificates will be cross-signed by IdenTrust, a company that already runs a trusted CA and is one of the project's primary sponsors, Aas said.

This will ensure that Let's Encrypt can start issuing certificates that will be trusted by most applications as soon the CA becomes operational early next summer.

Other sponsors of the project include Cisco Systems and Akamai Technologies. Some researchers from the University of Michigan are also involved. Aas expects that more people and organizations will offer their support in the future.

"Over time, we're going to measure our success by two things: the spread of TLS usage and a shift in users' attitude about encryption," Aas said. "We'd like to get to a point where users expect and demand that all websites they visit are encrypted, not just their banks."

This is part of a larger effort to encrypt all forms of online communications that security and privacy experts have called for following revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters.

The IETF has already started work on developing TLS deployment guidelines for various communication protocols. Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, said last year that the goal of the technical community should be to make eavesdropping expensive through the widespread use of encryption, which would force the NSA to abandon the wholesale collection of data in favor of targeted collection.

This year Google modified its search ranking algorithms to favor HTTPS (HTTP Secure) websites in a move aimed at encouraging webmasters to implement TLS encryption on their sites.

The growing adoption of TLS might create an incentive for attackers to increasingly target the private keys associated with digital certificates. However, this is a larger issue that will require work from the whole industry to combat, Aas said.

There are plans for Let's Encrypt to join the CA/B Forum, an association of browser vendors and certificate authorities that develops guidelines and best practices for the issuance, revocation and management of TLS and code signing certificates.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Akamai Technologiesonline safetysecurityIdenTrustMozilla FoundationencryptionInternet Security Research GroupElectronic Frontier FoundationpkiCisco SystemsGoogle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?