Let’s Encrypt, the free certificate authority created by Prof. J. Alex Halderman and CSE graduate student James Kasten, recently entered Public Beta, which allows anyone to request a certificate without needing an invitation.
The service was created to provide an easy service for converting webservers from HTTP to HTTPS. Before a website can use HTTPS, it needs to purchase a digital certificate for its domain name from a “certificate authority,” an identity-checking organization that users' browsers are programmed to trust.
Behind the scenes, Let’s Encrypt employs a number of new technologies to manage secure automated verification of domains and issuance of certificates. It uses a protocol called Automated Certificate Management Environment (ACME), which provides support for new and stronger forms of domain validation. It also employs Internet-wide datasets of certificates, such as EFF’s Decentralized SSL Observatory and the University of Michigan’s scans.io to make higher-security decisions about when a certificate is safe to issue.
In the opening two weeks of Public Beta, they issued over 130,000 certificates, and have issued over 300,000 certificates since making it public in September 2015. The switch to Public Beta will hopefully accelerate their goal of moving the entire Internet from HTTP to HTTPS.
They have also decided to only offer certificates with ninety-day lifetimes, which they believe will decrease the number of keys that are compromised as well as encourage an automated issuance and renewal system.
The researchers will continue to get feedback from customers to make Let's Encrypt as easy and reliable as possible.
Let’s Encrypt is managed though a non-profit consortium called the Internet Security Research Group (ISRG), and major sponsors include, EFF, Mozilla, U-M, Google Chrome, CISCO, IdenTrust, and Facebook.
Posted: January 21, 2016