Website traffic security, one of the biggest concerns for a free and open Internet, has needed fixing for some time. The aging HTTP protocol, which is the default protocol in use by the majority of sites worldwide, is inherently insecure and provides no protection to sites or visitors from threats that range from surveillance through phishing and identity theft.
The good news is that HTTPS – a secure cryptographic version of HTTP – exists and when deployed correctly addresses many of these issues. But HTTPS has historically been cumbersome and costly for website operators to implement and maintain, limiting its potential impact.
In an effort to dramatically extend and improve Internet security, researchers at the University of Michigan including Prof. J. Alex Halderman and CSE graduate student James Kasten have joined with The Electronic Frontier Foundation (EFF), Mozilla, and other industry and non-profit partners to soon offer a free, automated, and easy process for converting webservers from HTTP to HTTPS that is implemented with a single command.
Before a website can use HTTPS, it needs to purchase a digital certificate for its domain name from a “certificate authority,” an identity-checking organization that users' browsers are programmed to trust. The researchers announced today that they are introducing a new certificate authority, Let’s Encrypt, that will be run for the public benefit and reduce the cost and complexity of deploying HTTPS websites.
"What makes Let's Encrypt different is that it will be free and automatic," said Prof. Halderman. "We're going to provide certificates to anyone with a domain name at zero cost."
"After executing a single command on a typical webserver, Let’s Encrypt will discover which domains belong to the server through the existing configuration and by doing reverse DNS lookups on the associated server IP addresses," said Kasten. "Let’s Encrypt authenticates the server automatically, and issues and installs a secure digital certificate, eliminating the daunting challenges typically encountered."
Behind the scenes, Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates. It will use a protocol under development by the researchers called Automated Certificate Management Environment (ACME), which provides support for new and stronger forms of domain validation. It will also employ Internet-wide datasets of certificates, such as EFF’s Decentralized SSL Observatory and the University of Michigan’s scans.io to make higher-security decisions about when a certificate is safe to issue.
This video demonstrates a Let’s Encrypt installation and further explains the technologies that make it tick:
"This project should boost everyday data protection for almost everyone who uses the Internet," said EFF Technology Projects Director Peter Eckersley. "By making it easy, fast, and free for websites to install encryption for their users, we will all be safer online."
Let’s Encrypt will be managed though a non-profit consortium called the Internet Security Research Group (ISRG) and will begin operation in summer 2015. Initiated by the U-M researchers, EFF, and Mozilla, the ISRG has been joined for launch by partners including Cisco, Akamai, and Identrust.
Prof. Halderman is a noted computer security expert whose research places an emphasis on problems that broadly impact society and public policy. His interests include software security, network security, data privacy, anonymity, electronic voting, censorship resistance, digital rights management, computer forensics, ethics, and cybercrime, as well as the interaction of technology with law, governmental regulation, and international affairs. He is the director of the Center for Computer Security and Society.
Posted: November 18, 2014