Let's Encrypt Now In Public Beta
Written by Nikos Vaggalis   
Thursday, 03 December 2015

Let's Encrypt is entering Public Beta today and signing up is free. The project is a a joined initiative by the non-profit entity Internet Security Research Group (ISRG) and the Linux Foundation, that aims to make the web a safer place by helping people set up encryption on their websites easily and without the usual hassle.

 

This help is twofold; it is primarily the distribution of free SSL certificates, and secondarily the use of a simple client utility that makes enabling HTTPS on a Web site as simple as typing:

letsencrypt run

The certificates are issued by the ISRG, in its capacity as an open certificate authority, and eliminate the tedious and error prone process of creating and issuing self signed certificates. 

You need also to be aware that upon entering a site that uses self signed certificates, the browser will warn that since the certificate has not been issued by a root authority, the user must add an exception for accepting it.

If you're curious to see what you'll be 'missing' by letting the letsencrypt Python-based utility automatically configure your Apache and Nginx installations, check those long winded instructions on the process one has to go through for setting up a self signed certificate

Then of course there's the cost of acquiring, keeping and renewing an official certificate, in both bureaucratic and expense terms. 
As far as expense is concerned Let's Encrypt certificates are issued free of charge, so payment, even a recurring one (you have to renew the certificate every year), is a non-issue .

As for the second aspect, bureaucracy, to obtain a certificate from a root authority you have to undergo a strict identification process.
It goes without saying that this can't happen when there is a free cert for everyone. This therefore makes the risk of issuing a valid certificate to malware and phishing sites very real.

The problem is that a valid HTTPS certificate makes those sites look legit, therefore misleading the user into trusting them. So while this authorization process is the subject of an ongoing committee debate, a  first line of defense has been established in that the sites applying for a certificate have to be checked against the Google Safe Browsing API. Hence sites flagged as dubious by Google won't be getting one.

Another issue is what terms of service new subscribers will have to accept when signing up commences today. In advance the closest model we have, is the draft and unfinalized Subscriber Agreement circulating since June 23, 2015.

Its terms, written in a simple language comprehensible by non lawyers, are pretty standard. The "Your Warranties and Responsibilities" section contains the most important terms that the user has to agree to and they seem very reasonable. 

  • You warrant to ISRG and the public-at-large that You are the legitimate registrant of the Internet domain name that is, or is going to be, the subject of Your Certificate, or that You are the duly authorized agent of such registrar

  • You warrant to ISRG and the public-at-large that either (1) You did not obtain control of such domain name as the result of a seizure of such domain name, or (2) such domain name had no ongoing lawful uses at the time of such seizure.

  • You warrant that all  information in  Your  Certificate  regarding  You  or  Your  domain name is accurate, current, reliable, complete, and not misleading.

  • You warrant that  all  information  You  have  provided  to  ISRG  is  accurate,  current, complete, reliable, complete, and not misleading.

  • You warrant that You rightfully hold the Private Key corresponding to the Public Key listed in Your Certificate.

  • You warrant that You have taken all appropriate, reasonable, and necessary steps to secure and keep your Private Key secret.

  • You warrant that You will not use Your Certificates to attack, defraud or intercept the traffic of others.

All parts of the Let's Encrypt initiative seem great, but what stands out the most is its policy on recognizing:

that encrypting is something all of us should be doing

something that is advocated by the EFF, which is also a sponsor.

It is a common view, especially nowadays, with encryption coming under heavy scrutiny. It is a view that considers encryption as a means to make everyone's life safer by securing their online
transactions, communications and digital identities as a whole, as opposed to the authorities around the globe who try to convince that encryption renders life less safe, scape-goating it for every possible evil, and push for less encryption and less secure encryption with the introduction of backdoors into popular  products. After all, it increasingly looks like the recent Paris attacks were coordinated using unsophisticated methods like un-encrypted sms.


Thus, adopting and embracing Let's Encrypt will be another way for the public to display its discontent of putting the blame on encryption and of intensifying surveillance on everyone's life.

So wait no more and grab that certificate. It is free, easy to get, plus you'll be offering your online or otherwise community a service, making it a much safer place to be in.

letsensquare 

More Information

Let's Encrypt

letsencrypt Python utility

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks

Related Articles

Coordinated Cyber Attack on Greek Banks

State of Software Security

Tactical Pentesting With Burp Suite 

Ever Increasing Need For Secure Programming

Heartbleed - The Programmer's View

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter,subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin

 

Banner


OpenSSF's Siren To Warn About OSS Vulnerabilities
18/06/2024

Siren is a new mailing list by the OpenSSF which aims to monitor the threat landscape of open-source project vulnerabilities in order to provide real time alerts to anyone subscribed.



DuckDB 1.0 Released
04/06/2024

DuckDB 1.0 has been released following a successful release of the 0.10 version back in February that introduced a version of DuckDB with both forward and backward compatibility for DuckDB's storage f [ ... ]


More News

 

C book

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 03 December 2015 )