EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'

from the very-cool dept

The EFF and Mozilla along with some others, have teamed up to announce "Let's Encrypt" which is a new, free, certificate authority that is hoping to dramatically increase encrypted internet traffic when it launches next summer. The effort is being overseen by the Internet Security Research Group, which is the non-profit coalition of folks contributing to this effort. Not only is the effort going to offer free certificates, but also make it much easier to enable encryption.
We've argued for a long time about the importance of increasing encryption online, so it's great to see this effort.

Filed Under: certificate authority, encryption, https, let's encrypt, security, ssl
Companies: cisco, eff, internet security research group, mozilla

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    DannyB (profile), 18 Nov 2014 @ 1:46pm

    MITM attacks

    MITM = Man In The Middle (or monkey in the middle)

    Follow my chain of thinking here.

    Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.

    This would let every web site use encryption without cost or jumping through any hoops.

    But you wouldn't know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you're talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.

    The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you're talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.

    Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.

    But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.

    Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?

    If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority "Honest Achmed's Trusty Certificates of Tehran Iran", then what do you think? Do you really think Google bought it's certificate from Honest Achmed's?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.