When the web was first developed, it was designed to meet the needs of academic and scientific institutions like CERN, for which Tim Berners-Lee worked when he laid the web’s foundations. There was no concept of secure communications baked into the protocols that underlay the web. Tthe web and the world have changed since the early 90s, and the need for secure encrypted connections is clear.
We have a reasonable technological solution for providing encrypted connections between clients (often browsers) and servers. SSL (more properly known as TLS) and HTTPS are conceptually sound, even if the implementation sometimes leaves a little to be desired. But although SSL works, it is a million miles away from being user friendly: even technically adept people have trouble implementing SSL on their domains, which is why many don’t bother.
The Let’s Encrypt initiative from the Electronic Freedom Frontier, Mozilla, and the University of Michigan, along with Cisco, Akami, and Indentrust, which will launch to the public in the summer of 2015, aims to make it both easy and free to implement HTTPS on domains.
For SSL to work, it requires that a site have an SSL certificate associated with it and validated by a recognized Certificate Authority. In essence, the CA digitally signs and vouches for the validity of the SSL certificate — otherwise anyone could generate a valid certificate for any domain.
Let’s Encrypt comprises two major components: a certificate authority that will issue signed certificates for free, and the ACME protocol, which makes it easy to validate, issue, install, and revoke certificates from the Let’s Encrypt certificate authority.
In fact, it’s so easy that a webmaster can be serving pages over HTTPS in a few seconds: all they need to do is download the Let’s Encrypt client and run a command. The client takes care of verifying that the agent has control of the domain (by making content available at a location of the domain decided by the CA), and the CA takes care of issuing relevant keys, signing the certificate, and issuing it. Take a look at the video below to see how quickly Let’s Encrypt can get a secure site up and running. For a more comprehensive explanation of how it works, see the Let’s Encrypt technology overview.
What does this mean for traditional certificate authorities that make their money from issuing certificates? While the bottom end of the market that sells cheap domain validated certificates is likely to have a hard time of things in the wake of Let’s Encrypt, the automated system is really only good for DV (Domain Validated) certificates, which is the lowest level of validation. These certificates are perfect for personal sites, blogs, and some small business sites, but larger organization require OV (Organization Validated) or EV (Extended Validation) certificates — the ones that make your browser’s address bar go green. These have a substantially more stringent set of validation criteria, are much more expensive than DV certs, and the process of validation is much less amenable to automation than for DV certs, where the agent only has to prove control over the domain. These higher validation levels are where the CA’s make much of their revenue, and they are not going to be impacted by Let’s Encrypt.
Let’s Encrypt is a great move towards making the web more secure for everyone.