Some days it seems like the Internet is about as secure as an over-filled diaper. There's always crap leaking from seamy businesses, such as Ashley Madison; the Federal government, OPM and IRS; and even security companies like LastPass. One of the weakest security links is the connection between you and unsecured web sites. Now almost a year since it was proposed, Let's Encrypt is almost ready to enable any Internet site to protect its visitors with free Transport Layer Security (TLS) certificates.
Let's Encrypt is scheduled to releases its first security certificates on September 7, 2015. The service will become generally available on November 16.
Josh Aas, the Internet Security Research Group's (ISRG) Executive Director, says:
In the ten weeks between these two dates we'll gradually issue more and more certificates. We'll start by issuing a small number of certs to white-listed domains and expand our issuance as we gain confidence in our systems (stay tuned for instructions on getting your domains added to our early-access white-list). When it's time for general availability we will open up our systems to all requests.
Let's Encrypt's intention is to create a security certification authority that anyone can use for free.
Specifically, Let's Encrypt will create a certificate authority which is:
- Free, as in beer, meaning no charge for certificates.
- Automatic, meaning that the installation, configuration and renewal require no administrator actions.
- Secure, meaning they are committed to being a model of best practice in their own operations.
- Transparent, in that records of all certificate issuance or revocation will be publicly available.
- Open, meaning that the automatic issuance and renewal operations will be published as an open standard.
- Cooperative, meaning that it's controlled by a multi-stakeholder organization and exists to benefit the community, not any of the consortium members.
To make those first two parts happen, Let's Encrypt relies on Automated Certificate Management Environment (ACME). This is a protocol for automating domain-validation certificates management. It uses a a simple JSON-over-HTTPS interface. Without it, it would be too expensive to offer a free and automatic security certification service.
The purpose of this community, Aas explained, is to help users use Let's Encrypt. Since ISRG is a "small organization hoping to help a large portion of the Web move to HTTPS, many people are going to have questions during the transition, and we need to be able to provide answers. Hiring an army of support staff is out of the question for us." So, ISRG is hoping that a strong community of fellow users can "join us in taking care of each other."
Will Let's Encrypt make using the Internet perfectly safe? No. But once it's finally implemented, it will go a long way to making it safer than it is today.