The industry-wide transition from cleartext HTTP to secured HTTPS over TLS moves another step forward this week, with the Internet Security Research Group (ISRG) announcing the launch of a new Certificate Authority (CA) service called "Let's Encrypt."
Akamai, Mozilla, Cisco, the Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan are working through ISRG to deliver the infrastructure in mid-2015.
In a blog post unveiling "Let's Encrypt," ISRG Executive Director
Josh Aas framed the challenge. "Though every browser in every device and
every server in every data center supports TLS, it's not as simple as flipping a switch," he said.
"The challenge is server certificates," Aas wrote. "The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is in fact the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. It costs money. It's tricky to install correctly. It's a pain to update."
"Let's Encrypt" is designed to help companies get around the problem by offering them basic server certificates for their domains through a simple one-click process, he said.
Aas said Akamai will play a crucial role in making the new authority work.
"To achieve our goal of TLS everywhere, ISRG initiatives like "Let's Encrypt" must thrive in advanced, high-performance environments," he said. "Akamai brings the operational experience and deep insight into those environments that will be crucial to long-term success."
According to ISRG, "Let's Encrypt" is free. Anyone who owns a domain can get a certificate validated for that domain at zero cost.
The entire enrollment process for certificates is automatic and occurs during the server's native installation or configuration process. Renewal occurs automatically in the background, using the same Domain Validation infrastructure. Within a year, the hope is to see free and open source operating systems replacing default "snake oil" certs with domain-validated certs from "Let's Encrypt."
It will serve as a platform for implementing modern security techniques and best practices, and all records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
And, Aas said, much like the underlying Internet protocols themselves, "Let's Encrypt" is a joint effort "to benefit the entire community, beyond the control of any one organization."