'Let's Encrypt' Will Try To Secure The Internet - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
News
4/9/2015
09:36 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

'Let's Encrypt' Will Try To Secure The Internet

The Linux Foundation has lined up financial support for a group producing an easier way to encrypt Web site and mobile device traffic.

An effort to make it much easier to use encryption on Web sites and servers, called Lets Encrypt, has been adopted by the Linux Foundation as a project that can potentially make the Internet a safer place for passwords, credit card information, and other forms of private communication.  

Let's Encrypt will act as a free certificate authority that's easy to implement compared to the current standard, Secure Sockets Layer or OpenSSL. Let's Encrypt will allow the many users who find encryption currently beyond their reach to become everyday users of the technology. If all Internet communications between computers were encrypted, the Internet would be a much less fertile place for parties to snoop for passwords and private information.  

"All sorts of nefarious actors steal passwords out of communications over the Internet. The ISRG has an app (Let's Encrypt) that makes encryption a default operation. It's a great idea …," said Jim Zemlin, executive director of the Linux Foundation, in an interview.

Let's Encrypt is a system produced by the Internet Security Research Group, which was founded in 2014 as a public benefit corporation. Its executive director is Josh Aas, senior technology strategist at Mozilla, and includes designers and developers from several organizations with an interest in improving Internet security. They include: Akamai, Cisco, CoreOS, the Electronic Frontier Foundation, Stanford Law School, and the University of Michigan.  There are currently about 40 developers contributing to the project. Aas has previously been responsible for the security of the Mozilla networking stack. Mozilla produces the Firefox browser.

[Want to see why new encryption measures are needed? See Study: Enterprises Losing Faith In Digital Certificates, Cryptographic Keys.]

The foundation will support the ISRG "with whatever they need" to convert a pilot application into a widely available Internet service, said Zemlin. The developers behind Let's Encrypt already have jobs with which they support themselves. But a full-blown Internet encryption service used by millions will require "full-time employees" who can't be expected to contribute their time and skills continuously, he noted.

The last time a major effort got off the drawing boards to secure the Internet was in 1998, when the OpenSSL project was formed under lead developer Steve Hensen. It produced an open source version of Secure Sockets Layer, which imposes a private key encryption system on Web servers and sites. The little padlock that appears in the upper left-hand corner of screen when accessing a secure Web site is a sign of OpenSSL in use.

But OpenSSL suffered a blow to its reputation with the Heartbleed bug, which exploited a buffer overread vulnerability that had been inadvertently left in the open source code for years. The bug made half a million supposedly secure servers on the Internet vulnerable to having their encryption keys and other information stolen, a security breach deemed "catastrophic" by some observers. But even more important, it's never been easy or inexpensive to implement OpenSSL.

One of the main goals of Let's Encrypt is to allow the owner of a new Web site to obtain a security certificate enabling encryption through a simple-to-understand process that takes a few minutes. "What they've done is taken a really complex process and made it really simple," Zemlin said. The process includes building a few challenge questions that only the site owner is likely to know the answers to, then issuing the certificate. The process is fully automated.

The goal, said Zemlin, is to remove cost barriers and get encryption of message traffic on the Internet "universally adopted." All major browsers on mobile devices will be able to support Let's Encrypt certificates, foundation spokesmen said.

Platinum sponsors of the Let's Encrypt project, organizations in the front rank of supporting it financially, are: Akamai, Cisco, the EFF, and Mozilla. IdenTrust is a gold sponsor, and Automattic is a silver sponsor. No contribution levels or amounts donated were included in the announcement.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PeterF028
100%
0%
PeterF028,
User Rank: Moderator
4/22/2015 | 2:19:22 PM
Step in the right direction
As we enter into the growing Internet of Things world, we need to find increasingly more ways to security the growing herds of data that will be floating around through seamless connections and an expanded number of access points.  Encryption is understandably part of the puzzle. However, it cannot be considered the only piece. Peter Fretty, IDG blogger working on behalf of Cisco. 
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
4/11/2015 | 7:30:02 PM
Re: ISRG effort gets a thumbs up
Security certificates have never been a fund proposition on the internet. I think that any way that there can be a better way for better and simple security of websites should be implemented. Let's hope that this effort does sucessfully get off the ground. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
4/9/2015 | 7:53:55 PM
ISRG effort gets a thumbs up
This effort is way overdue, and the Linux Foundation is showing up with support at the right time. Not sure how the Internet Security Research Group was formed, but it's producing open source code right where it's needed.
Commentary
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
News
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
Slideshows
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Slideshows
Flash Poll