Skip to main content

Let's Encrypt (the Entire Web): 2014 in Review

DEEPLINKS BLOG
January 5, 2015

Last month we were very pleased to announce our work with Mozilla, the University of Michigan, Cisco, Akamai and IdentTust on Let's Encrypt, a totally free and automated certificate authority that will be launching in summer 2015. In order to let mainstream browsers seamlessly connect securely to your web site, you need a digital certificate. Next year, we'll provide you with that certificate at no charge, and, if you choose, our software will install it on your server in less than a minute. We've been pursuing the ideas that turned into Let's Encrypt for three years, so it was a great pleasure to be able to share what we've been working on with the world.

The certificate authority (CA) system is not perfect, and has been attacked in the past. Browsers tend to believe what CAs tell them, and a compromised, malicious, or negligent CA could help your ISP, or a government, trick you into using an insecure connection. But by far the riskiest way to use encryption is not to use it at all. Government snoops were so excited that unencrypted communications were the default that they built massive infrastructure to tap the Internet backbones, to search through everyone's communications, and to instantly recognize individual devices and accounts. In 2015, we can change that default and start telling people that unencrypted connections are unsafe.

There's lots of exciting work going on in this area, and lots of ways to contribute technically. Our own project has a network protocol (being discussed at IETF), a client application, and an early version of the production server implementation for people to experiment with. There are also exciting ideas for improving the security of the system as a whole. For instance, some proposals help site operators and the public keep a closer eye on certificate authorities (including ours!) to make sure that we're not cheating or issuing false certificates. These include helping webservers to deploy HSTS, HPKP and other certificate pinning techniques, and using Certificate Transparency, as well as tools like ZMap and EFF's own SSL Observatory to keep the CA's issuance practices more secure.

We'd love to see interested contributors join any of these projects. And we're thrilled to be working with our partners and colleagues from Mozilla, Akamai, Cisco, IdenTrust, and the Alex Halderman's group at the University of Michigan to bring you Let's Encrypt. Here's to an encrypted new year!

This article is part of our Year In Review series; read other articles about the fight for digital rights in 2014. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.

JavaScript license information