EFF, Mozilla back new certificate authority that will offer free SSL certificates

The new CA is called Let's Encrypt and its goal is to encourage the widespread adoption of SSL/TLS on the Internet

A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.

The new CA will be called Let's Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.

The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol -- the more secure successor of SSL (Secure Sockets Layer) -- said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.

The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.

The goal is to make getting a certificate as easy as possible, because that's currently the hardest part of turning on TLS, Aas said. With the new CA "there will be no billing interaction, no need to create an account. You don't really need to know much at all except that you want to turn on TLS."

The software used by the CA, as well as the client applications that will help users configure TLS certificates on Web servers like Apache, Nginx and Microsoft IIS, will be open source. The CA plans to operate in a transparent manner, with the certificate issuance and revocation records available to anyone who wishes to inspect them, Aas said.

Some demo software will be made available Tuesday, so that people can start providing feedback. A draft specification for the API (application programming interface) protocol that automates certificate issuance and renewal will also be published today and soon it will be submitted to the Internet Engineering Task Force (IETF) for consideration as an open standard, according to Aas.

Let's Encrypt will go through the same audit processes as other CAs and will follow the CA/Browser Forum's baseline requirements for the issuance and management of digital certificates.

ISRG will apply to have the CA's root certificate accepted into all major root programs like the ones run by Mozilla and Microsoft, so that Web browsers and other software clients will trust certificates issued by the new CA by default. However, this process can take between one and three years, so in the meantime the Let's Encrypt root certificates will be cross-signed by IdenTrust, a company that already runs a trusted CA and is one of the project's primary sponsors, Aas said.

This will ensure that Let's Encrypt can start issuing certificates that will be trusted by most applications as soon the CA becomes operational early next summer.

Other sponsors of the project include Cisco Systems and Akamai Technologies. Some researchers from the University of Michigan are also involved. Aas expects that more people and organizations will offer their support in the future.

"Over time, we're going to measure our success by two things: the spread of TLS usage and a shift in users' attitude about encryption," Aas said. "We'd like to get to a point where users expect and demand that all websites they visit are encrypted, not just their banks."

This is part of a larger effort to encrypt all forms of online communications that security and privacy experts have called for following revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters.

The IETF has already started work on developing TLS deployment guidelines for various communication protocols. Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, said last year that the goal of the technical community should be to make eavesdropping expensive through the widespread use of encryption, which would force the NSA to abandon the wholesale collection of data in favor of targeted collection.

This year Google modified its search ranking algorithms to favor HTTPS (HTTP Secure) websites in a move aimed at encouraging webmasters to implement TLS encryption on their sites.

The growing adoption of TLS might create an incentive for attackers to increasingly target the private keys associated with digital certificates. However, this is a larger issue that will require work from the whole industry to combat, Aas said.

There are plans for Let's Encrypt to join the CA/B Forum, an association of browser vendors and certificate authorities that develops guidelines and best practices for the issuance, revocation and management of TLS and code signing certificates.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Akamai Technologiesonline safetysecurityIdenTrustMozilla FoundationencryptionInternet Security Research GroupElectronic Frontier FoundationpkiCisco SystemsGoogle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?