The first free and automated certificate authority, Let's Encrypt, will launch to the public in September of this year. This is a huge milestone for web security and privacy. Encryption in transit (HTTPS) is vital to protect people and websites from spying and tampering. Someday soon, we hope every site on the web will use HTTPS by default.

Unfortunately, there are still obstacles preventing some sites from implementing HTTPS. Many are stymied by the need to obtain and install a certificate. For years, this was an expensive and difficult process. Today, it's possible to obtain a certificate for free, so it is merely a difficult process. Our informal tests have shown that it often takes 1-3 hours for a web administrator to install a certificate. People without web administration skills may not be able to install one at all. We think that's not acceptable. The free and open web must be accessible to anyone who wants to publish their thoughts, not just those with technical skills. As HTTPS becomes a more integral part of the web, we must democratize access to its benefits.

Let's Encrypt will do this by automating the certificate issuance and install process. The Let's Encrypt authority will provide browser-trusted certificates through a publicly documented API that anyone can implement. The official Let's Encrypt client software will be the flagship implementation of that API for certificate requestors. Anyone can run the client software on their web server to automatically install a certificate and configure their server with strong HTTPS settings. For people who don't run their own web server, we expect that many hosting providers will incorporate the Let's Encrypt API so they can offer HTTPS by default to all their customers for free.

Getting to this point has been a highly collaborative effort. Last year, Mozilla, EFF, and a group at the University of Michigan teamed up to create a new non-profit, the Internet Security Research Group (ISRG), which will run the Let's Encrypt certificate authority. Sponsors Akamai, Cisco, IdenTrust, and Automattic have ensured that ISRG has the resources it needs to operate. The Linux Foundation has provided invaluable staffing and administrative work, including hiring ISRG's first staff. And developers from the open source community have worked alongside EFF, Mozilla and UMich engineers to develop the Let's Encrypt client and server software. We'll spend the next three months thoroughly testing the software and infrastructure to ensure it is ready for a public launch.

Free and automated certificates are a critical part of EFF's long-term Encrypt the Web initiative, and we're thrilled to be so close to making them a reality.

Related Issues