Tag Archive for Let’s Encrypt

| December 7, 2015
Comments Off on Let’s Encrypt Lives

Let’s Encrypt Lives

Let's Encrypt LivesLet’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Lets Encrypt logoLet’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Secure Socket Layer/Transport Layer Security certificatesLet’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

automated issuance and renewalThe automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| January 6, 2015
Comments Off on UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s EncryptThe University of Michigan is teaming up with leading Internet firms to help secure the web. UMichCisco (CSCO), Akamai (AKAM), Mozilla, the Electronic Frontier Foundation, and public key certificate authority IdenTrust, have launched a new free certificate authority (CA) called Let’s Encrypt.

The Let’s Encrypt CA, which will be available in the Summer of 2015. It aims to get people to encrypt their connections to their websites according to a recent GigaOM article. Let’s Encrypt goal is to make it easier to get a proper Secure Sockets Layer/Transfer Layer Security (SSL/TLS) certificate. That way the certs can be deployed to secure a Web server and its users.

Let’s Encrypt will help secure the Internet

Let’s EncryptAccording to the article Let’s Encrypt, comes as the tech industry scrambles to encrypt the web. This is more important after the mass surveillance revelations of NSA leaker Edward Snowden. The CA will aid other efforts to secure the Internet.

Let’s Encrypt is developing the Automated Certificate Management Environment or ACME protocol. The ACME protocol. will sit between Web servers and the CA. It includes support for new, stronger forms of domain validation.

University of MichiganLet’s Encrypt will serve as its own root CA. The nonprofit CA public benefit corporation, Internet Security Research Group (ISRG) will run the root CA. Josh Aas, the executive director of ISRG, explained securing the web is just not a simple thing to use Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL). He explains that getting, paying for, and installing a certificate is too hard for many network administrators.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Electronic Frontier FoundationAccording to the statement, Let’s Encrypt’s certificates will be free. It will have an automated issuance and renewal protocol – an open standard. A step to reduce the need for input from the domain holder’s side. According to an EFF blog post, “switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.”

Records of certificate issuance and revocation will be publicly available. The organizations behind Let’s Encrypt are stressing that the system won’t be under any one organization’s control.

The EFF has been working on helping users take advantage of HTTPS for a while. The EFF worked with the Tor Project, to create the HTTPS Everywhere extension for Firefox, Firefox for Android, Chrome, and Opera browsers.

The Let’s Encrypt project will use Internet-wide datasets of certificates to make higher-security decisions about when a certificate is safe to issue. The data will include the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google‘s (GOOG) Certificate Transparency logs.

In addition to the Let’s Encrypt project, some of the paths to secure the web include:

  • The next version of the HTTP protocol will likely be encrypted by default.
  • Mozilla and Firefox are collaborating with the EFF to bring Microsoft, Google, Opera, and others to add Let’s Encrypt to their list of valid CAs.
  • Google will rank up sites that use SSL/TLS encryption.
  • The content delivery and security outfit Cloudflare is offering free SSL encryption for millions of its customers.
  • And now Let’s Encrypt aims to equip websites with free certificates – the proof they need to tell users’ browsers that their public encryption keys are genuine and the connection is properly secured.

rb-

Many websites currently use the HTTP protocol, a standard that exposes site owners to a number of threats including cyber espionage, keyword-based censorship, account hijacking, and a host of web application attacks such as SQLi and XSS. Let’s Encrypt helps reduce these risks which I think it is a good step in the right direction.

argues on Wired that Let’s Encrypt does not go far enough. We want the project to not only encrypt data but also authenticate users. IMHO that is a pipe dream. Authentication will step on the toes of Symantec, Oracle, and other hugely funded firms that will squash anybody doing the right thing that threatens their profits.

Related Posts

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,