We understand that online security is a necessity, so why is only 48.5% of online traffic encrypted? Josh Aas, co-founder of Let’s Encrypt, gives us a simple answer: it’s too difficult. So what do we do about it? Aas has answers for that as well in his LinuxCon North America presentation.
Aas explains how the Achilles heel of managing Web encryption is not encryption itself, but authentication, which requires trusted third parties, and secure mechanisms for managing the trust chain. He says, “The encryption part is relatively easy. It’s a software stack…it comes on most operating systems by default. It just needs to be configured. Most Web servers tie into it directly and take care of things for you. Your biggest challenge is protecting your private key. The authentication part is a bit of a nightmare, and it has been for a while, so if you want to authenticate, the way this works on the web is you need to get a certificate from a certificate authority, and it’s complicated, even for really smart people like my friend Colin here at Cisco.”
Another roadblock is the expense and overhead of selecting and purchasing certificates from trusted vendors. “You need to figure out what kind of certificate you need, and of course the certificate authorities have come up with a million different marketing buzzwords for the different types of certificates. The super-secure and security plus and blah blah blah. Good luck figuring that out. You’ve got to figure out how to request a certificate…You’ve got to figure out how to install your cert, and of course that’s server specific, so you’ve got to have particular knowledge about a server and how this works, and you’ve got to remember to renew it on time. I’m sure everyone’s run into a site with an expired cert just because people forgot.”
There are other technical considerations that make the current system overly difficult, but new standards will take 10 years or more to be established, so Aas came to the conclusion that he had to create his own brand-new certificate authority to encourage encryption and to improve the process of obtaining and managing certificates. Perhaps only a madman would come to this conclusion, but Aas and Eric Rescorla — a friend and colleague from Mozilla — made it happen, and now we have Let’s Encrypt.
Let’s Encrypt is built on four cornerstones:
- Automated.
- Free.
- Transparent and open.
- Global.
A certificate authority must be trusted by other CAs, bundled into all Web browsers, and meet all manner of compliance rules. Sponsorship with key industry bigwigs including Akamai, Mozilla, the Electronic Frontier Foundation, and Cisco got them off the ground. Then the Linux Foundation came on board to ease the pain of organizational issues. Let’s Encrypt has been in operation for about a year and manages more than 16 million active certificates.
Watch the complete talk (below) to learn technical details, the challenges of meeting demand, dealing with censorship, and future plans. Currently, the Let’s Encrypt project is running a fund-raising campaign, and your generosity can help make the web more secure. Learn more.