Principle 4 of the Mozilla Manifesto states: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.
Unfortunately treating user security as optional is exactly what happens when sites let users connect over insecure HTTP rather than HTTP over TLS (HTTPS). What insecure means here is that your network traffic is totally unprotected and can be read and/or modified by anyone who shares a network with you, including random people sharing Starbucks or airport WiFi.
One of the biggest reasons that web sites don’t deploy TLS is the requirement to get a digital certificate — a cryptographic credential which allows a user’s browser to know it’s talking to the right site and not to an attacker. Certificates are issued by Certificate Authorities (CAs) often using a clumsy and error-prone manual process. A further disincentive to deployment is that most CAs charge a fee for their certificates, which not only prices some people out of the market but also interferes with automatic issuance and renewal.
Mozilla, along with our partners Akamai, Cisco, EFF, and Identrust decided to do something about this situation. Together, we’ve formed a new consortium, the Internet Security Research Group, which is starting Let’s Encrypt, a new certificate authority designed to bring security to everyone. Let’s Encrypt is built around a few key principles:
- Free: Certificates will be offered at no cost.
- Automatic: Certificates will be issued via a public and published API, allowing Web server software to automatically obtain new certificates at installation time and without manual intervention.
- Independent: No piece of infrastructure this important should be controlled by a single company. ISRG, the parent entity of Let’s Encrypt, is governed by a board drawn from industry, academia, and nonprofits, ensuring that it will be operated in the public interest.
- Open: Let’s Encrypt will be publishing its source code and protocols, as well as submitting the protocols for standardization so that server software as well as other CAs can take advantage of them.
Let’s Encrypt will be issuing its first real certificates in Q2 2015. In the meantime, we have published some initial protocol drafts along with a demonstration client and server at: https://github.com/letsencrypt/node-acme and https://github.com/letsencrypt/heroku-acme. These are functional today and can be used to issue test certificates.
It’s been a long road getting here and we’re not done yet, but this is an important step towards a world with TLS Everywhere.
wow! This is why i love mozilla
One can’t help but notice the irony that this blog doesn’t use TLS either … I’m just saying.
Good move, though :)
Wait until Q2 and wordpress.com will be able to use Let’s Encrypt to fix that!
OK sounds good!
Hmm… Profitable CAs are going to try to attack and shut this down with any means necessary. They are set to lose a ton of money if this gets off the ground.
It seems that most of the revenue for CAs is actually in EV certs these days which Let’s Encrypt doesn’t target, so maybe that helps CAs to come on board and see the value of this.