EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'

from the very-cool dept

The EFF and Mozilla along with some others, have teamed up to announce "Let's Encrypt" which is a new, free, certificate authority that is hoping to dramatically increase encrypted internet traffic when it launches next summer. The effort is being overseen by the Internet Security Research Group, which is the non-profit coalition of folks contributing to this effort. Not only is the effort going to offer free certificates, but also make it much easier to enable encryption.
We've argued for a long time about the importance of increasing encryption online, so it's great to see this effort.

Filed Under: certificate authority, encryption, https, let's encrypt, security, ssl
Companies: cisco, eff, internet security research group, mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:07pm

    Worrying example

    Their How It Works page says:
    enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:
    $ sudo apt-get install lets-encrypt
    $ lets-encrypt example.com
    That’s all there is to it! https://example.com is immediately live.
    If that second command is really going to work without sudo or any other authentication, that's a bit worrying. A random unprivileged user shouldn't be able to reconfigure the server.
    The general idea looks nice, and I hope it will work for email too. But Mozilla should really implement DANE support as soon as possible, to ensure this CA is only a temporary solution (for old browsers).

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:11pm

    You don't need a certificate to encrypt a connection the certificate is merely to prove that someone is who they say they are. So I don't see how a certificate authority makes it 'easier' to enable encryption.

    With regard to offering free certificates do they do background checks on those requesting a certificate or can anyone just get one?

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:13pm

    Re:

    What are the requirements of getting a certificate? Do you need to show ID? Do they do background checks? Or can some spammer just get a certificate, start a website that looks like the Gmail login website, sign it with their certificate, and not have the browser balk.

    reply to this | link to this | view in thread ]

  4. icon
    DannyB (profile), 18 Nov 2014 @ 1:32pm

    Browsers and Certificate Authorities

    Internet Browsers (FireFox, Chrome, Safari) and aspiring Internet Browsers (IE) have a list of certificates they trust.

    The organizations that create browsers and wannabe browsers decide for themselves which root certificates they trust. Or more importantly which Certificate Authorities (CAs) they trust.

    The requirements to get a certificate depend on the policies of the CA.

    Of course, to get included in the trusted roots of the major browsers, and browser wannabe, a CA has to jump through all of the hoops that each organization has for inclusion in its browser. It's way more complex than this, but simply, these requirements ensure that browsers only trust certificates issued by CA's that you would want to trust.

    In general, a certificate merely indicates that it really is for the domain name you typed into the address bar. For example, the certificate from Amazon.com ensures that (as long as you trust the root CA who signed it) this certificate really is from Amazon.com. The CA who signed it is certifying that the certificate wasn't just handed out willy nilly to just anyone off the street who wanted a certificate that says "Amazon.com".

    Some CA's offer various levels of assurance of the identity of who the certificate is issued to. But at the most basic level, it is ensuring that the server that answered your SSL is one that holds the certificate.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:33pm

    Re: Re:

    Well, you know, you could read the fine link. It says there

    "nyone who owns a domain can get a certificate validated for that domain at zero cost."

    and there is

    https://letsencrypt.org/howitworks/technology/

    and a repository on github

    https://github.com/letsencrypt/acme-spec

    Though I expect it may change as launch approaches.

    reply to this | link to this | view in thread ]

  6. icon
    senshikaze (profile), 18 Nov 2014 @ 1:33pm

    Actually, the EFF "How does this work" link (https://letsencrypt.org/howitworks/technology/) has a good explanation of how manually validating a domain and creating a signed certificate. Just those steps are all done manually by the administrator of the website normally.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:36pm

    i wonder how long before we find out that this has gone down the tube, with NSA and God knows which other agencies being able to spy on it?

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 18 Nov 2014 @ 1:41pm

    Re: Browsers and Certificate Authorities

    I understand what it does but I think one of the functions of having a CA is partly to ensure that only entities who went through a greater degree of scrutiny in identifying themselves get certified. I think this makes it easier for anyone to get a cert and trick people into thinking they are more trustworthy than they really are.

    reply to this | link to this | view in thread ]

  9. icon
    DannyB (profile), 18 Nov 2014 @ 1:46pm

    MITM attacks

    MITM = Man In The Middle (or monkey in the middle)

    Follow my chain of thinking here.

    Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.

    This would let every web site use encryption without cost or jumping through any hoops.

    But you wouldn't know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you're talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.

    The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you're talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.

    Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.

    But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.

    Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?

    If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority "Honest Achmed's Trusty Certificates of Tehran Iran", then what do you think? Do you really think Google bought it's certificate from Honest Achmed's?

    reply to this | link to this | view in thread ]

  10. icon
    DannyB (profile), 18 Nov 2014 @ 1:48pm

    Re: Re: Browsers and Certificate Authorities

    If you control the domain and the server on it, then you should be able to prove to them without human interaction.

    reply to this | link to this | view in thread ]

  11. identicon
    Joel Coehoorn, 18 Nov 2014 @ 1:50pm

    Re:

    You DO need a certificate to encrypt a connection. While there are encryption schemes that don't use certs, if you want a web browser to use SSL, certs are where it's at.

    What you don't need is a *signed* certificate, or a certificate authority. But without a system of trust enabled by valid certificate authorities, encryption itself isn't much. As it's been said, "Encryption guarantees a conversion is private, but you could be having a private conversation with Satan". CA's enable you to have confidence that the person on the other end of the line is who they say they are... at least, that's what they're supposed to do.

    reply to this | link to this | view in thread ]

  12. identicon
    Joel Coehoorn, 18 Nov 2014 @ 1:52pm

    Re: Re:

    There is some validation for the identity of a certificate, but it's not very extensive.

    With the new CA, anyone will be able to get a certificate, but they'll have a hard time getting it signed with as belonging to "Google, Inc."

    reply to this | link to this | view in thread ]

  13. identicon
    Richard, 18 Nov 2014 @ 1:54pm

    We already have a free certificate authority

    It's called CACert. (cacert.org) I've used them for years. Unfortunately, they're not trusted by any browser. I can't imagine this will be either.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 18 Nov 2014 @ 2:10pm

    Re: We already have a free certificate authority

    "they're not trusted by any browser. I can't imagine this will be either."

    Except that Mozilla has 2 board members, which probably means some level of support will be happening in Firefox.

    https://letsencrypt.org/about/

    ISRG Board of Directors

    ISRG is overseen by individuals from a variety of backgrounds. Our current board members are:

    Josh Aas (Mozilla) — ISRG Executive Director
    Stephen Ludin (Akamai)
    Dave Ward (Cisco)
    J. Alex Halderman (University of Michigan)
    Andreas Gal (Mozilla)
    Jennifer Granick (Stanford Law School)
    Alex Polvi (CoreOS)
    Peter Eckersley (EFF) — Observer

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 18 Nov 2014 @ 2:11pm

    And they still use StartCom...

    I've had StartCom removed from my trusted CA list ever since the Heartbleed fiasco (where they began charging extortion fees to revoke compromised certificates), so I very often run into websites that give me certificate warnings as a result.

    eff.org is still one of those - which makes me sad

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 18 Nov 2014 @ 2:14pm

    Re: We already have a free certificate authority

    Just a guess but I think Firefox will trust the certificates.

    reply to this | link to this | view in thread ]

  17. icon
    tqk (profile), 18 Nov 2014 @ 2:23pm

    Re: Re: Browsers and Certificate Authorities

    As I understand it, the only thing between being a CA and wanting to be a CA is money. I don't think there's a lot of certification or verification of trust relationships going on.

    reply to this | link to this | view in thread ]

  18. icon
    toyotabedzrock (profile), 18 Nov 2014 @ 2:45pm

    I like this but it will lack one thing, authentication. Authentication is half way broken without certificate pinning as it is. But when you go to free you have lost control. Without payment you could have different people apply for the same certificate without proper checks.

    reply to this | link to this | view in thread ]

  19. icon
    toyotabedzrock (profile), 18 Nov 2014 @ 2:48pm

    It also paints a bulls eye for the NSA to pursue.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 18 Nov 2014 @ 3:41pm

    Re: Re: Re: Browsers and Certificate Authorities

    If that's the case then there is no reason not to just do it this way.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 18 Nov 2014 @ 4:20pm

    Re: Worrying example

    example DOT com is not secure, lol.

    reply to this | link to this | view in thread ]

  22. icon
    tqk (profile), 18 Nov 2014 @ 6:54pm

    Re: Re: Worrying example

    Even worse, https://www.eff.org puked bad certificate to me a few minutes ago. It's just done it again testing it now.

    reply to this | link to this | view in thread ]

  23. icon
    Ninja (profile), 19 Nov 2014 @ 1:34am

    Re: MITM attacks

    I think we need a decentralized way of dealing with it. Maybe have a certificate be issued by one of those trusted peers but recognized by others so when your browser checks for the authenticity you have a group confirmation that it is valid. Achmed would bear little to no weight if all the main CAs regularly disagree with him. I'm not sure if it's feasible or even if it should be done this way but we should work into it.

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 19 Nov 2014 @ 5:56am

    The right direction

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 19 Nov 2014 @ 6:10am

    Re: MITM attacks

    Or honest obama's

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, 19 Nov 2014 @ 6:16am

    Excuse my ignorance, but cant one simply have a database of every domain/ip refrenced when creating a new domain, and if its already taken, they cant have it?

    reply to this | link to this | view in thread ]

  27. icon
    Violated (profile), 19 Nov 2014 @ 7:46am

    This is something one of my own sites need when your common certificate validation services seem a bit expensive where an annual subscription seems criminal.

    I can understand the EFF's point when many site owners when stuck between a large annual fee and to go cost free no encryption can choose the latter.

    Even if the EFF do charge a one off fee then any site owners would be very happy indeed. It is only a bitch we need to wait until the summer but I am all ears.

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, 20 Nov 2014 @ 11:00am

    Re: Re: Re: Re: Browsers and Certificate Authorities

    reply to this | link to this | view in thread ]

  29. identicon
    Lord Loh, 16 Jan 2015 @ 3:41pm

    Re:

    I agree, but if you use a self signed cert. to encrypt, browsers give naive users a big scare by going red and showing bandit pictures.

    reply to this | link to this | view in thread ]

  30. identicon
    آگهی, 4 Apr 2016 @ 1:30am

    Thanks

    Guide you through the SEO can be very useful.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.