Today marks a major milestone for the encrypted Web. Let's Encrypt, the free and automated certificate authority, has entered Public Beta. That means it's easier than ever for websites to adopt HTTPS encryption. A huge percentage of the world's daily Internet usage currently takes place over unecrypted HTTP, exposing people to illegal surveillance and injection of unwanted ads, malware, and tracking headers into the websites they visit. EFF's Encrypt the Web project aims to fix that, and Let's Encrypt—a collaboration with Mozilla, the University of Michigan, Cisco, Akamai and many other sponsoring organizations—should be a huge step forward.
In order to use HTTPS, a website operator needs to obtain and install a certificate: a file that is digitally signed by a certificate authority (CA). The certificate contains the cryptographic keys necessary to securely communicate with that particularly website. There are a number of flaws in the CA system, but when it comes to encrypting the Web, two in particular stand out: cost and difficulty. Most CAs today charge for certificates. While some are very cheap, every dollar of expense means a large swath of people who can't afford to host a secure website. The larger barrier, though, is difficulty. Once someone has purchased a certificate, they need to install it on their website, a time consuming and error-prone process that requires significant technical skill, which is a cost in itself. Let's Encrypt is not only free but also automated, in order to make HTTPS encryption more accessible than ever.
We've still got a lot to do. This launch is a Public Beta to indicate that, as much as today's release makes setting up HTTPS easier, we still want to make a lot more improvements towards our ideal of fully automated server setup and renewal. Our roadmap includes may features including options for complete automation of certificate renewal, support for automatic configuration of more kinds of servers (such as Nginx, postfix, exim, or dovecot), and tools to help guide users through the configuration of important Web security features such as HSTS, upgrade-insecure-requests, and OCSP Stapling. And of course, if you have some Python coding knowledge, you can come and help us reach those objectives.
A fully encrypted Web is within reach. Let's Encrypt is going to help us get there.