The effort to secure Web traffic from censorship and surveillance has taken another step forward. Let's Encrypt, an initiative to make TLS/SSL certificates freely available to website operators, said on Monday that it has received cross-signatures from IdenTrust. This means its certificates are now trusted by all major Web browsers, and website operators can employ its certificates to ensure that communication between their servers and client software is encrypted.
Let's Encrypt is a certificate authority formed last year by the Electronic Frontier Foundation in conjunction with Akamai, Cisco, Mozilla, IdenTrust, and researchers from the University of Michigan. Operated by the nonprofit Internet Security Research Group, its aim is to hasten the transition away from the Web's unprotected HTTP protocol to encrypted HTTPS.
HTTPS doesn't promise impenetrable security for Web users. It doesn't protect against fake TLS/SSL certificates or flaws in TLS client software, for example. But it is substantially more secure than HTTP, which leaves online traffic exposed.
The 2013 revelations about the scope of government surveillance, based on the documents leaked by former NSA contractor Edward Snowden, galvanized the Internet community and businesses to seek ways to protect online communication from mass surveillance, as well as from security risks such as account hijacking.
[Is your business looking in the right places for products and services? Read 10 Government Innovations Your Business Can Use.]
Efforts to make online communication more secure extend beyond the Web. Cloud computing companies in the US have been pushing back against government surveillance and have been expanding overseas data center operations to assure customers abroad that their information is secure. Both Apple and Google, as the makers of the two dominant mobile operating systems, have implemented device encryption as a default.
Such security poses a problem for authorities, who fail to recognize that information cannot be simultaneously accessible on-demand and secure. In one recent case that illustrates this tension, the US Department of Justice is trying to compel Apple to help it access the information in a seized iPhone, a demand that the American Civil Liberties Union argues is unconstitutional. Apple does not want to be required to inform on its customers, and in some instances it claims to be technically unable to provide such assistance.
This litigation is taking place amid an unresolved national debate about whether the government can or should require that technology companies provide a "backdoor" to expose encrypted data, even as serious breaches of government systems and ongoing allegations of government-sponsored hacking underscore the need for stronger security.
According to the EFF, the process of acquiring a TLS/SSL certificate has been hampered by bureaucracy, complexity, and cost. Let's Encrypt aims to take the process of enabling website encryption from one to three hours down to about 20 to 30 seconds -- and it plans to do so at no charge. While certificates can be obtained for little or nothing from a few service providers, some Web hosting companies charge $100 per year or more.
Beyond security, implementing HTTPS may help a website rank better in Google Search.
Let's Encrypt expects to begin issuing free TLS/SSL certificates in November.