'Encryption by default' is a stated goal for many internet players, but roadblocks persist in transitioning the web from HTTP to HTTPS, including the complexity, bureaucracy and cost of the certificates that HTTPS requires. Taking aim at the issue, the Electronic Freedom Foundation (EFF) will launch a new certificate authority (CA) initiative in 2015, dubbed Let’s Encrypt.
The Let’s Encrypt CA will automatically issue and manage free certificates for any HTTPS website that needs them. EFF is working with Mozilla, Cisco, Akamai, IdenTrust and researchers at the University of Michigan to make it happen, with the launch scheduled for summer 2015.
Unencrypted HTTP websites make users vulnerable to a range of problems, including account hijacking and identity theft; surveillance and tracking by governments and companies; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. HTTPS can eliminate much of the ease for bad guys in executing these.
“Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button,” EFF said in a posting. “We’re all familiar with the warnings and error messages produced by mis-configured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.”
EFF said that Let's Encrypt will eliminate most kinds of erroneous certificate warnings. And, it will reduce the time it typically takes a web developer to enable encryption for the first time from 1-3 hours to 20-30 seconds. This is done using various technologies to manage secure automated verification of domains and issuance of certificates.
These include a protocol that it’s developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. It will also employ internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.
But, keeping certificates safe is a continuing worry, potentially undermining the security of HTTPS.
“Keys and certificates provide the foundation of trust for every app, website, and cloud today. And they are consistently being misused and compromised by attackers now,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Infosecurity. “More certificates means more opportunity for misuse by cyber-criminals to spoof sites, using man-in-the middle to read encrypted data and transfer data over encryption sessions. All of this undermines critical security controls—from strong authentication to threat detection to privileged access systems.”
He added, “Let’s Encrypt and other initiatives to get SSL/TLS turned on with free digital certificates is just one more indicator that securing and protecting keys and certificates is the problem to solve.”