W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Fwd: EFF, Mozilla et al. announce new free certificate authority...

From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 18 Nov 2014 13:22:14 -0500
Message-ID: <546B8E56.1040802@w3.org>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Hash: SHA1

This is exciting, lowering one of the main barriers that individuals
and small organizations cite as blocking them from enabling HTTPS on
their sites. Let's encrypt!


- --Wendy

- -------- Forwarded Message --------
Subject: [perpass] EFF, Mozilla et al. announce new free certificate
Date: Tue, 18 Nov 2014 12:50:47 -0500
From: Joseph Lorenzo Hall <joe@cdt.org>
To: perpass <perpass@ietf.org>

So cool I'll just shut my mouth and let the launch text speak for
itself... (links in the original)

- ----


# Launching in 2015: A Certificate Authority to Encrypt the Entire Web

Today EFF is pleased to announce Let?s Encrypt, a new certificate
authority (CA) initiative that we have put together with Mozilla,
Cisco, Akamai, Identrust, and researchers at the University of
Michigan that aims to clear the remaining roadblocks to transition the
Web from HTTP to HTTPS.

Although the HTTP protocol has been hugely successful, it is
inherently insecure. Whenever you use an HTTP website, you are always
vulnerable to problems, including account hijacking and identity
theft; surveillance and tracking by governments, companies, and both
in concert; injection of malicious scripts into pages; and censorship
that targets specific keywords or specific pages on sites. The HTTPS
protocol, though it is not yet flawless, is a vast improvement on all
of these fronts, and we need to move to a future where every website
is HTTPS by default.With a launch scheduled for summer 2015, the Let?s
Encrypt CA will automatically issue and manage free certificates for
any website that needs them. Switching a webserver from HTTP to HTTPS
with this CA will be as easy as issuing one command, or clicking one

The biggest obstacle to HTTPS deployment has been the complexity,
bureaucracy, and cost of the certificates that HTTPS requires. We?re
all familiar with the warnings and error messages produced by
misconfigured certificates. These warnings are a hint that HTTPS (and
other uses of TLS/SSL) is dependent on a horrifyingly complex and
often structurally dysfunctional bureaucracy for authentication.

The need to obtain, install, and manage certificates from that
bureaucracy is the largest reason that sites keep using HTTP instead
of HTTPS. In our tests, it typically takes a web developer 1-3 hours
to enable encryption for the first time. The Let?s Encrypt project is
aiming to fix that by reducing setup time to 20-30 seconds. You can
help test and hack on the developer preview of our Let's Encrypt agent
software or watch a video of it in action here:

Let?s Encrypt will employ a number of new technologies to manage
secure automated verification of domains and issuance of certificates.
We will use a protocol we?re developing called ACME between web
servers and the CA, which includes support for new and stronger forms
of domain validation. We will also employ Internet-wide datasets of
certificates, such as EFF?s own Decentralized SSL Observatory, the
University of Michigan?s scans.io, and Google's Certificate
Transparency logs, to make higher-security decisions about when a
certificate is safe to issue.

The Let?s Encrypt CA will be operated by a new non-profit organization
called the Internet Security Research Group (ISRG). EFF helped to put
together this initiative with Mozilla and the University of Michigan,
and it has been joined for launch by partners including Cisco, Akamai,
and Identrust.

The core team working on the Let's Encrypt CA and agent software
includes James Kasten, Seth Schoen, and Peter Eckersley at EFF; Josh
Aas, Richard Barnes, Kevin Dick and Eric Rescorla at Mozilla; Alex
Halderman and James Kasten and the University of Michigan.

Version: GnuPG v1

Received on Tuesday, 18 November 2014 18:22:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC