Let's Encrypt, a free automated open-source certificate authority (CA), has signed its first certificate – leading the Electronic Frontier Foundation (EFF) to celebrate "an important milestone in our march to encrypt all of the Web."
Announced in 2014, the companies behind Let's Encrypt intended to encourage the world's movement away from a plaintext web to one which is healthily wrapped in encryption.
The pitch for the CA claims it is "built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process."
Talking to The Register, SSL Labs' author Ivan Ristic explained his enthusiasm for the project. While certificates themselves are quite cheap these days, often costing less than a domain name, "there remain a lot of costs involved in procuring the certificates."
While Let's Encrypt is free of charge, Ristic also applauded its automated renewals. This is key for "hosting providers who will be able to reduce costs considerably."
"I'm very pleased with this. I'm a long-time proponent of a fully encrypted web and this is a big step forward," added Ristic.
Clicking on that above HTTPS link will probably right now throw up an SSL certificate error. Why? Because your browser doesn't yet trust the authority that ultimately issued the helloworld site's cert. The site explains: "Let's Encrypt hasn't yet been added as a trusted authority to the major browsers (that will be happening soon), so for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link."
The EFF added that "once the certificate is cross-signed by IdenTrust's root – probably in about a month – the trusted connection should work on nearly all browsers."
Mozilla, Cisco Systems, Akamai Technologies, Electronic Frontier Foundation, and IdenTrust, along with researchers at the University of Michigan, worked with the Internet Security Research Group to deliver the infrastructure for Let's Encrypt.
As stated at inception, the "automated issuance and renewal protocol" is an open standard, and as much of the software as possible will be open source."
Asked if the automated process could include any drawbacks, Ristic suggested that actually the opposite was the case.
"Security will remain the same," he told us, noting that certificates can be stolen. "But as you can use short-term certificates, which people often avoided before due to the hassle of issuance, certification can go from covering a three-year span to being valid for only a month. So stolen certificates provide less exposure. Let's Encrypt lowers the bar significantly." ®