Let’s Encrypt Partnership Promises Open, Better Web Security
There’s a good chance the software that runs your cloud, stores your data and serves your websites is open source. Soon, the SSL/TSL certificate that encrypts it can be, too — or something close to it, at least, if Let’s Encrypt, an initiative back by Mozilla, Cisco, Akamai and others to build an open certificate authority, succeeds.
The collaboration, which is operating under the auspices of an organization called the Internet Security Research Group and, besides the groups named above, is also supported by the Electronic Frontier Foundation, IdenTrust, Inc. and the University of Michigan, went live a few days ago with the aim of building a new, free create a certificate authority service.
Certificate authorities (CAs), of course, provide digital certificates used in Web browsers and elsewhere that confirm the identity of an entity providing data. In other words, they provide a way to make sure that when you visit a website (or download a smartphone app, or watch a video on your tablet, or do anything else that involves pulling information from the Internet), you’re actually connecting to the server you think you are. Without certificate authorities, serving malware, stealing identities and all sorts of other nastiness becomes much easier.
Plenty of certificate authorities already exist, but Let’s Encrypt says it is setting itself apart in several ways. Most notably, its service will be free, in contrast to those of most of the existing major CAs; its records will be publicly available — allowing anyone to look up when a certificate was issued for a particular domain, and whether it is still valid; and its “automated issuance and renewal protocol will be an open standard,” with “as much of the software as possible” available in open source form.
Let’s Encrypt is not expecting to release its service, which is being developed publicly on GitHub, until Q2 2015, but the initiative is already important for several reasons. For one, it’s a move to keep Internet protocols open and equally available to everyone, which makes it seem like something that would have come out of the early 1990s rather than today, when plenty of large organizations — most famously, content providers who want to make everyone else’s websites slower by buying up delivery bandwidth — are doing everything they can to make sure they have an outsize share of Internet clout. It’s also a reminder that it’s never to late to bring an open source approach to a niche where one has traditionally not existed.
And most importantly, Let’s Encrypt promises to help spread the use of TLS encryption, which will add more security to a lot of websites. In that respect, it’s an important complement to the Linux Foundation‘s recent effort to bolster OpenSSL and other key Internet networking technologies in the hopes of stemming the torrent of revelations about data breaches and security lapses at major websites that have been so prevalent lately, while also restoring faith that the open source security technologies behind them can be trusted.