‘Let’s Encrypt’ Enables Secure Communications on the Web

By Cynthia Leonard

HPE Security – Data Security was all smiles a few weeks ago when we saw this headline: Let’s Encrypt reaches one million certificate encryption milestone.  Let’s Encrypt is a free, automated, and open certificate authority (CA) brought to you by the Internet Security Research Group (ISRG).The Let’s Encrypt project offers free, trusted Web certificates to increase the rates of encryption in domain communication and traffic. Our HPE Distinguished Technologist, Terence Spies, is such a big believer in the non-profit’s mission to enable the protection of Internet connections that he spearheaded an effort for HPE Security to become a Silver Sponsor.

What does Let’s Encrypt Do?

HTTPS is HTTP over a connection secured by Transport Layer Security (TLS), a protocol that ensures privacy between communicating applications and their users on the Internet. It’s how websites encrypt communications. According to Let’s Encrypt, as of December 2015, only 40% of Firefox page loads are HTTPS and 64% of Firefox HTTP transactions are HTTPS. Let’s Encrypt believes it should be 100% to keep sensitive data secure.

The objective of Let’s Encrypt is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. Let’s Encrypt uses the IETF ACME protocol, along with carefully designed and audited practices, to make this whole process secure. Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

Key Principles

The key principles behind Let’s Encrypt are that software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. And that it be free. Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Let’s Encrypt also keeps it transparent and open. All certificates issued or revoked are be publicly recorded and available for anyone to inspect and the automatic issuance and renewal protocol will be published as an open standard that others can adopt. Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Josh Aas, Co-Founder of Let’s Encrypt

I recently spoke to Josh Aas, Co-Founder, and Executive Director of Let’s Encrypt and asked him why he started this service. He said that those involved in Let’s Encrypt came to the conclusion that the Web needed a free and incredibly easy to use CA in order to move to HTTPS everywhere. “Turning on HTTPS needs to be so simple it just happens automatically,” he said. “Getting a certificate has been the big pain point in the past, stopping people from enabling HTTPS.”

Josh stated that the goal of Let’s Encrypt is to make secure HTTPS the default on the Web. When asked why he made it free, he replied, “we want to eliminate financial barriers to basic security on the Web, but even more importantly we wanted to eliminate billing interactions for the sake of ease of use.”

According to Terence Spies, “Encrypting data has evolved from a niche practice reserved for the military to an essential requirement for protecting the data people rely on every day.  Let’s Encrypt enables network encryption to be on almost by default, and is an important part of making the internet into a safer place for all of us.”

One Millionth Certificate

Back to the millionth certificate: Let’s Encrypt has issued one million free TLS certificates (now 1.7 million and counting), and is helping to secure approximately 3.8 million domains. According to the Let’s Encrypt blog, this milestone means a lot to a team that started building a CA from scratch 16 months ago with an aim to have a real impact on the security of the Web as soon as possible. Also on the blog, Let’s Encrypt just announced that it had moved out of Beta. They are well on their way of their goal to encrypt 100% of the Web.