Starting in 2015, everyone will be able to get their hands on a free, officially sanctioned SSL/TLS certificate so that HTTPS can finally be enabled everywhere. The new service — a certificate authority (CA) called Let’s Encrypt — is led by the Electronic Frontier Foundation (EFF), Mozilla, and the University of Michigan, with Cisco and Akamai joining as major launch partners. If you don’t know much about SSL, TLS, and HTTPS, trust me when I say that this is a very big deal.
When you surf the web, you may have noticed that links (URLs) usually begin with HTTP or HTTPS. I won’t go into what HTTP actually is or how it works, but it’s enough to say that the extra “S” stands for “Secure.” Basically, when you use HTTP, everything that is sent or received by your browser is in plain text. If someone (a hacker, the NSA, Verizon) wants to see what you were doing on the internet, HTTP makes it very easy for them. HTTPS adds encryption and other protections so that you can be fairly sure that only two people can see your data: you, and the web server on the other end of the link.
To enable HTTPS, the web server (whichserves pages over the internet to your browser) uses TLS/SSL, which provides fairly robust encryption. Now, it isn’t hard to enable TLS and HTTPS — the website administrator just has to generate an encryption key, which can be done for free in a few seconds. The difficult bit is getting your key signed by a certificate authority.
Without getting into the complexities, it’s basically the CA’s job to make sure that everything adds up. If Amazon is trying to enable HTTPS on one of its servers, the CA makes sure it’s actually Amazon that’s requesting the CA’s signature. In short, this prevents random people from setting up a server, signing the certificate themselves, and claiming to be Amazon. If you see a big green padlock on your browser’s address bar, it means you’re using an HTTPS connection that has been signed off by one of these certificate authorities — or, in other words, you can be fairly certain that you really are sending your credit card details to Amazon, and not some hacker in Russia.
The problem is, there are only a few certificate authorities in the world (VeriSign/Symantec and Comodo own about 70% of the TLS certificate market) — and, unfortunately, they charge for their services. In the case of wildcard certificates, you can pay upwards of $1,000 per year. Obviously, not everyone is willing to pay for the CA’s signature — and so they either go without HTTPS, or they sign their own certificates. If you’ve ever seen that scary “This Site Cannot Be Trusted” warning in either Firefox or Chrome, it’s usually because of a self-signed cert — in reality, it’s probably completely fine to use the site, but there’s a chance that there’s something iffy going on.
And finally we get to the crux of the story: Let’s Encrypt, which is scheduled to launch in summer 2015, will provide free, signed TLS certificates to anyone. The process will be completely automated: If you own a domain, you can get a free certificate for it, and enable HTTPS immediately. The signing and renewal processes will be fully automated, which is presumably why the service can be offered for free (there is corporate sponsorship from Akamai, Cisco, and IdenTrust, however).
Why hasn’t anyone tried this before? Well, they have — but a certificate authority is meaningless unless every major browser recognizes it as an authority. With Mozilla and Firefox on board, and the sizable nerdio-political heft of the EFF, presumably Microsoft, Google, Opera, and others will add Let’s Encrypt to their list of valid CAs.
To ensure that the web is truly private and secure — to prevent companies like Verizon from spying on your every move, or other nefarious actors snooping on your login details — there are millions of websites that still need to enable HTTPS. From a consumer point of view, these millions of websites should activate HTTPS immediately — in that regard, the Let’s Encrypt CA is seriously good news. From the corporate side of things, though, it’s a little more nuanced — by enabling HTTPS, these companies lose the ability to easily track the behavior of users, which can be very valuable data.
In any case, even if there is some resistance from the corporate overlords, Let’s Encrypt is certainly a very big win for the open web. Anything that dismantles the barriers to safe and secure web browsing can only really be a Good Thing.