'Let's Encrypt' Will Try To Secure The Internet - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
09:36 AM
Connect Directly

'Let's Encrypt' Will Try To Secure The Internet

The Linux Foundation has lined up financial support for a group producing an easier way to encrypt Web site and mobile device traffic.

An effort to make it much easier to use encryption on Web sites and servers, called Lets Encrypt, has been adopted by the Linux Foundation as a project that can potentially make the Internet a safer place for passwords, credit card information, and other forms of private communication.  

Let's Encrypt will act as a free certificate authority that's easy to implement compared to the current standard, Secure Sockets Layer or OpenSSL. Let's Encrypt will allow the many users who find encryption currently beyond their reach to become everyday users of the technology. If all Internet communications between computers were encrypted, the Internet would be a much less fertile place for parties to snoop for passwords and private information.  

"All sorts of nefarious actors steal passwords out of communications over the Internet. The ISRG has an app (Let's Encrypt) that makes encryption a default operation. It's a great idea …," said Jim Zemlin, executive director of the Linux Foundation, in an interview.

Let's Encrypt is a system produced by the Internet Security Research Group, which was founded in 2014 as a public benefit corporation. Its executive director is Josh Aas, senior technology strategist at Mozilla, and includes designers and developers from several organizations with an interest in improving Internet security. They include: Akamai, Cisco, CoreOS, the Electronic Frontier Foundation, Stanford Law School, and the University of Michigan.  There are currently about 40 developers contributing to the project. Aas has previously been responsible for the security of the Mozilla networking stack. Mozilla produces the Firefox browser.

[Want to see why new encryption measures are needed? See Study: Enterprises Losing Faith In Digital Certificates, Cryptographic Keys.]

The foundation will support the ISRG "with whatever they need" to convert a pilot application into a widely available Internet service, said Zemlin. The developers behind Let's Encrypt already have jobs with which they support themselves. But a full-blown Internet encryption service used by millions will require "full-time employees" who can't be expected to contribute their time and skills continuously, he noted.

The last time a major effort got off the drawing boards to secure the Internet was in 1998, when the OpenSSL project was formed under lead developer Steve Hensen. It produced an open source version of Secure Sockets Layer, which imposes a private key encryption system on Web servers and sites. The little padlock that appears in the upper left-hand corner of screen when accessing a secure Web site is a sign of OpenSSL in use.

But OpenSSL suffered a blow to its reputation with the Heartbleed bug, which exploited a buffer overread vulnerability that had been inadvertently left in the open source code for years. The bug made half a million supposedly secure servers on the Internet vulnerable to having their encryption keys and other information stolen, a security breach deemed "catastrophic" by some observers. But even more important, it's never been easy or inexpensive to implement OpenSSL.

One of the main goals of Let's Encrypt is to allow the owner of a new Web site to obtain a security certificate enabling encryption through a simple-to-understand process that takes a few minutes. "What they've done is taken a really complex process and made it really simple," Zemlin said. The process includes building a few challenge questions that only the site owner is likely to know the answers to, then issuing the certificate. The process is fully automated.

The goal, said Zemlin, is to remove cost barriers and get encryption of message traffic on the Internet "universally adopted." All major browsers on mobile devices will be able to support Let's Encrypt certificates, foundation spokesmen said.

Platinum sponsors of the Let's Encrypt project, organizations in the front rank of supporting it financially, are: Akamai, Cisco, the EFF, and Mozilla. IdenTrust is a gold sponsor, and Automattic is a silver sponsor. No contribution levels or amounts donated were included in the announcement.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
4/22/2015 | 2:19:22 PM
Step in the right direction
As we enter into the growing Internet of Things world, we need to find increasingly more ways to security the growing herds of data that will be floating around through seamless connections and an expanded number of access points.  Encryption is understandably part of the puzzle. However, it cannot be considered the only piece. Peter Fretty, IDG blogger working on behalf of Cisco. 
User Rank: Ninja
4/11/2015 | 7:30:02 PM
Re: ISRG effort gets a thumbs up
Security certificates have never been a fund proposition on the internet. I think that any way that there can be a better way for better and simple security of websites should be implemented. Let's hope that this effort does sucessfully get off the ground. 
Charlie Babcock
Charlie Babcock,
User Rank: Author
4/9/2015 | 7:53:55 PM
ISRG effort gets a thumbs up
This effort is way overdue, and the Linux Foundation is showing up with support at the right time. Not sure how the Internet Security Research Group was formed, but it's producing open source code right where it's needed.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll