The Web Became More Secure with Let’s Encrypt

You may have seen encryption in the news lately. After the Paris and San Bernardino attacks, the debates familiar to those of us that have fought in the Crypto Wars have resurfaced. Twitter parody account StartupLJackson summed up the tenor of current events rather nicely with his recent tweet:

And it’s true; none of us know where the global discussion and Crypto War will end up, although certainly we at CDT will fight for a future made safe and trustworthy by easy-to-use strong cryptography.

Last week, the security community reached a milestone of unimaginable proportions with the launch of Let’s Encrypt, a project of the Internet Security Research Group (IRSG). Let’s Encrypt provides free, automated encryption certificates for the Web, bucking the standard model of encryption on the Web.

Traditionally, a set of “Certificate Authorities” charge folks like CDT (and me!) money so that we can offer our website visitors a safe and secure encrypted connection (note the little lock icon in the URL bar of the browser you’re using to read this blog post!). One large barrier to getting more encrypted websites up and running has been the expense associated with getting an encryption certificate for the Web (a certificate is an encryption key that your browser uses to “lock up” traffic you send, for which a certificate authority has vouched that the key belongs to a specific domain like cdt.org).

Additionally, Let’s Encrypt focuses on automating the issuance of certificates. It’s not uncommon to spend 30 minutes (in some cases hours) getting a certificate issued and then in place before you can start to send encrypted bits to your website’s visitors. Let’s Encrypt uses the emerging ACME protocol (Automated Certificate Management Environment) – being hammered out at the technical standards setting body, the IETF – in order to automate the process involved with issuing a new certificate.

So what? Why is this cool? Well, it means that instead of minute or hours, a website can go from non-existent to up-and-running in full encrypted glory in 5 seconds.

The implications are staggering: anyone can have an encrypted website up and running in no time and very cheaply (you’ll still have to pay to register a domain name!). What HTML and HTTP did for allowing regular people to start putting content on the Web, Let’s Encrypt will do for allowing people to put up encrypted pages that are safe, secure, private, and not subject to hijacking, as we’ve seen this year from China.

What HTML and HTTP did for allowing regular people to start putting content on the Web, Let’s Encrypt will do for allowing people to put up encrypted pages that are safe, secure, private, and not subject to hijacking.

We are very excited about Let’s Encrypt and give a hearty congratulations to the ISRG and all the people that have been working hard for years to make this a reality.