A new organisation that wants all traffic between websites and browsers to be encrypted will soon give away server certificates and software required by website owners to make their sites secure.
A new certificate authority, dubbed Let's Encrypt, is launching to solve the problem of the Transport Layer Security (TLS) cryptoprotocol — the successor to SSL or Secure Sockets Layer — not being deployed on all web servers, or at least not widely enough for people who care about privacy on the web.
According to SSL Pulse survey figures, of 150,000 of the world's most popular websites, 23.9 percent are currently 'secure' — in the sense that they support one of several versions of SSL/TLS protocols.
The key challenge is server SSL/TLS certificates, according to Josh Aas, executive director of the Internet Security Research Group, the body which is heading up the Lets Encrypt initiative with the backing of the Electronic Frontiers Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan.
"For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It's tricky to install correctly. It's a pain to update," he said on Tuesday.
Let's Encrypt will launch in the second quarter of 2015, offering to validate SSL/TLS certificates for free for anyone who owns a domain and offering software that automates the process of setting up a secure website.
Developers behind the project are building certificate management software that website owners will need to install on their web server. According to Lets Encrypt, the software will:
- Automatically prove to the Let's Encrypt certificate authority that you control the website.
- Obtain a browser-trusted certificate and set it up on your web server.
- Keep track of when your certificate is going to expire, and automatically renew it.
- Handle the certificate revocation process if that becomes necessary.
Some of the obstacles it aims to overcome include validation emails, configuration editing, expired certificates, and of course the hassle of payment.
According to Aas, ACME, Lets Encrypt's automated issuance and renewal protocol, will be "an open standard and as much of the software as possible will be open source".
The new initiative joins several other projects aimed at boosting encryption on the web, such as the EFF's HTTPS Everywhere extension for Chrome, Firefox, Android, and Opera.
It also follows a number of large cleanup efforts after researchers have discovered serious SSL/TLS bugs such as POODLE in the legacy SSL v3.0 protocol and Heartbleed.
Google's security team last month released the 'nogotofail' tool for developers as a simple way to confirm that devices or applications are vulnerable to known TLS/SSL flaws and misconfigurations.
The Mozilla-backed project could also help websites avoid being penalised by Google for not having adopted HTTP over TLS (HTTPS). Today, the search company uses HTTPS as a 'lightweight' ranking signal, but it may dial up that signal in the future.