EFF unveils Let's Encrypt HTTPS programme

November 19, 2014 // 12:06 p.m.

Tags: #akamai #certificate-authority #cisco #eff #encryption #https #identrust #lets-encrypt #mozilla #privacy #ssl #tls #university-of-michigan

The Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, Identrust and the University of Michigan have jointly announced plans to create a new certificate authority under a programmed dubbed Let's Encrypt.

The EFF, as you would expect from a privacy-centric organisation, is a firm believer that everything should be encrypted - starting with making sure that as much web traffic as possible goes over TLS-secured HTTPS rather than plain-text HTTP. 'The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires,' the EFF explained in its announcement. 'We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

'The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds.

While it's possible to set up self-signed certificates in roughly the same time a Let's Encrypt certificate would take, doing so will result in warnings from visitors' browsers that the certificate authority which issued said certificate - in this case, you - is untrusted. Let's Encrypt, by contrast, plans to use a new protocol dubbed ACME to validate domains and automatically issue certificates which will be trusted in all modern browsers - without payment, and without complexity.

Let's Encrypt is to be driven by a newly-formed non-profit organisation dubbed the Internet Security Research Group (ISRG). The authority is due to go live next year, with an early developer preview of the open-source software available via GitHub. A demonstration video is reproduced below, while more details are available at LetsEncrypt.org.

Discuss this in the forums