If you’ve been reading this blog for even a little while you might think I am obsessed with encryption and authentication (especially passwords). You’d probably be right, even though I am not under the illusion that either is any type of panacea. You’d probably guess that I’d be excited that the Electronic Frontier Foundation (EFF) and others are working to make websites and other web services more secure by trying to make certificates available at no cost.
While there are no-cost certificates available now, they’re more often used by developers, aren’t trusted by most browsers by default and don’t fit most sites’ needs. The “Let’s Encrypt” initiative (including the EFF, Mozilla and other big players) is designed to change that. EFF’s blog post describes the initiative. From that post, it appears that the initiative is not aimed toward ecommerce sites, but rather to all those other sites that don’t have encryption.
As the post points out, setting up a site for https isn’t trivial. One has to apply for a certificate, pay money, set up the server to process TLS (or the older SSL) and so forth. It’s confusing the first time (that’s experience talking), and a pain every other time. Oh, and the certificates expire so they have to be renewed, generally once a year.
The Let’s Encrypt initiative will hopefully change this by 1) making the application process a single click!, and 2) make installing the certificate easier. I am excited by this project and I’m looking forward to its becoming fully operational.
I also hope they issue certificates that can be used to secure email servers (and I see no reason why they wouldn’t). HTTP (Web) and SMTP (email) are too important to be unencrypted these days. Of course, with today’s fast processors, maybe all Internet services would benefit from encryption…
In case you’re wondering TLS (and the older SSL) provide both confidentiality through encryption and authentication. The latter is provided by the issuer (called a Certificate Authority or CA). Part of Let’s Encrypt will be to work to ensure that certificates are only issued to the actual owner of a domain – I shouldn’t be able to get one for learningtree.com!
Of course we talk about these issues, how TLS works and so forth in Learning Tree Course 468, System and Network Security Introduction and I hope to see you in an upcoming class or maybe you’ll be online using AnyWare. Either way, it’s a good course.
To your safe computing,