EFF, Mozilla back new certificate authority that will offer free SSL certificates

The new CA is called Let's Encrypt and its goal is to encourage the widespread adoption of SSL/TLS on the Internet

A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.

The new CA will be called Let's Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.

The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol -- the more secure successor of SSL (Secure Sockets Layer) -- said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.

The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.

The goal is to make getting a certificate as easy as possible, because that's currently the hardest part of turning on TLS, Aas said. With the new CA "there will be no billing interaction, no need to create an account. You don't really need to know much at all except that you want to turn on TLS."

The software used by the CA, as well as the client applications that will help users configure TLS certificates on Web servers like Apache, Nginx and Microsoft IIS, will be open source. The CA plans to operate in a transparent manner, with the certificate issuance and revocation records available to anyone who wishes to inspect them, Aas said.

Some demo software will be made available Tuesday, so that people can start providing feedback. A draft specification for the API (application programming interface) protocol that automates certificate issuance and renewal will also be published today and soon it will be submitted to the Internet Engineering Task Force (IETF) for consideration as an open standard, according to Aas.

Let's Encrypt will go through the same audit processes as other CAs and will follow the CA/Browser Forum's baseline requirements for the issuance and management of digital certificates.

ISRG will apply to have the CA's root certificate accepted into all major root programs like the ones run by Mozilla and Microsoft, so that Web browsers and other software clients will trust certificates issued by the new CA by default. However, this process can take between one and three years, so in the meantime the Let's Encrypt root certificates will be cross-signed by IdenTrust, a company that already runs a trusted CA and is one of the project's primary sponsors, Aas said.

This will ensure that Let's Encrypt can start issuing certificates that will be trusted by most applications as soon the CA becomes operational early next summer.

Other sponsors of the project include Cisco Systems and Akamai Technologies. Some researchers from the University of Michigan are also involved. Aas expects that more people and organizations will offer their support in the future.

"Over time, we're going to measure our success by two things: the spread of TLS usage and a shift in users' attitude about encryption," Aas said. "We'd like to get to a point where users expect and demand that all websites they visit are encrypted, not just their banks."

This is part of a larger effort to encrypt all forms of online communications that security and privacy experts have called for following revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters.

The IETF has already started work on developing TLS deployment guidelines for various communication protocols. Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, said last year that the goal of the technical community should be to make eavesdropping expensive through the widespread use of encryption, which would force the NSA to abandon the wholesale collection of data in favor of targeted collection.

This year Google modified its search ranking algorithms to favor HTTPS (HTTP Secure) websites in a move aimed at encouraging webmasters to implement TLS encryption on their sites.

The growing adoption of TLS might create an incentive for attackers to increasingly target the private keys associated with digital certificates. However, this is a larger issue that will require work from the whole industry to combat, Aas said.

There are plans for Let's Encrypt to join the CA/B Forum, an association of browser vendors and certificate authorities that develops guidelines and best practices for the issuance, revocation and management of TLS and code signing certificates.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Akamai Technologiesonline safetysecurityIdenTrustMozilla FoundationencryptionInternet Security Research GroupElectronic Frontier FoundationpkiCisco SystemsGoogle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?