The Electronic Frontier Foundation (EFF) has extended its initiative to secure the internet with a new certificate authority to clear the remaining roadblocks to transition the web from HTTP to HTTPS.
Its new certificate authority (CA) initiative, named Let’s Encrypt, is scheduled to be launched in 2015 and will automatically issue and manage free certificates for any website that needs them. “Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button,” it said.
“The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy and cost of the certificates that HTTPS requires. The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS,” it said.
“In our tests, it typically takes a web developer between one and three hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds.”
It said it will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates, and it is developing a protocol named ACME which will operate between web servers and the authority, which will includs support for new and stronger forms of domain validation.
“We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google’s Certificate Transparency logs to make higher-security decisions about when a certificate is safe to issue.”
Penetration tester Robin Wood told IT Security Guru, that he was concerned about the ability to spoof the certificates and making it easier for the bad guys to get good certificates.
He said that Let’s Encrypt would have to have something in there that forces the website to prove who they are, and that they have the right to have a certificate issued for that domain.
He said: “That would be a minimum to stop me asking for a certificate for google.com, but would they have something to stop me asking for g0ogle.com if I owned the domain?
“That is still a problem at the moment. This isn’t introducing any extra problems with ownership, except maybe the speed in which new certificates can be created. Think about the way a lot of malware generates a list of thousands of domains and then picks one to check for its command and control node: with this service, as well as creating the domains, they can also create a valid certificate to go with it.”
The Let’s Encrypt CA will be operated by the non-profit organisation, the Internet Security Research Group (ISRG) and the EFF thanked Mozilla, the University of Michigan, Cisco, Akamai and Identrust for their participation.