informa
/
News

'Let's Encrypt' Will Try To Secure The Internet

The Linux Foundation has lined up financial support for a group producing an easier way to encrypt Web site and mobile device traffic.

An effort to make it much easier to use encryption on Web sites and servers, called Lets Encrypt, has been adopted by the Linux Foundation as a project that can potentially make the Internet a safer place for passwords, credit card information, and other forms of private communication.  

Let's Encrypt will act as a free certificate authority that's easy to implement compared to the current standard, Secure Sockets Layer or OpenSSL. Let's Encrypt will allow the many users who find encryption currently beyond their reach to become everyday users of the technology. If all Internet communications between computers were encrypted, the Internet would be a much less fertile place for parties to snoop for passwords and private information.  

"All sorts of nefarious actors steal passwords out of communications over the Internet. The ISRG has an app (Let's Encrypt) that makes encryption a default operation. It's a great idea …," said Jim Zemlin, executive director of the Linux Foundation, in an interview.

Let's Encrypt is a system produced by the Internet Security Research Group, which was founded in 2014 as a public benefit corporation. Its executive director is Josh Aas, senior technology strategist at Mozilla, and includes designers and developers from several organizations with an interest in improving Internet security. They include: Akamai, Cisco, CoreOS, the Electronic Frontier Foundation, Stanford Law School, and the University of Michigan.  There are currently about 40 developers contributing to the project. Aas has previously been responsible for the security of the Mozilla networking stack. Mozilla produces the Firefox browser.

[Want to see why new encryption measures are needed? See Study: Enterprises Losing Faith In Digital Certificates, Cryptographic Keys.]

The foundation will support the ISRG "with whatever they need" to convert a pilot application into a widely available Internet service, said Zemlin. The developers behind Let's Encrypt already have jobs with which they support themselves. But a full-blown Internet encryption service used by millions will require "full-time employees" who can't be expected to contribute their time and skills continuously, he noted.

The last time a major effort got off the drawing boards to secure the Internet was in 1998, when the OpenSSL project was formed under lead developer Steve Hensen. It produced an open source version of Secure Sockets Layer, which imposes a private key encryption system on Web servers and sites. The little padlock that appears in the upper left-hand corner of screen when accessing a secure Web site is a sign of OpenSSL in use.

But OpenSSL suffered a blow to its reputation with the Heartbleed bug, which exploited a buffer overread vulnerability that had been inadvertently left in the open source code for years. The bug made half a million supposedly secure servers on the Internet vulnerable to having their encryption keys and other information stolen, a security breach deemed "catastrophic" by some observers. But even more important, it's never been easy or inexpensive to implement OpenSSL.

One of the main goals of Let's Encrypt is to allow the owner of a new Web site to obtain a security certificate enabling encryption through a simple-to-understand process that takes a few minutes. "What they've done is taken a really complex process and made it really simple," Zemlin said. The process includes building a few challenge questions that only the site owner is likely to know the answers to, then issuing the certificate. The process is fully automated.

The goal, said Zemlin, is to remove cost barriers and get encryption of message traffic on the Internet "universally adopted." All major browsers on mobile devices will be able to support Let's Encrypt certificates, foundation spokesmen said.

Platinum sponsors of the Let's Encrypt project, organizations in the front rank of supporting it financially, are: Akamai, Cisco, the EFF, and Mozilla. IdenTrust is a gold sponsor, and Automattic is a silver sponsor. No contribution levels or amounts donated were included in the announcement.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.