EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'

from the very-cool dept

The EFF and Mozilla along with some others, have teamed up to announce “Let’s Encrypt” which is a new, free, certificate authority that is hoping to dramatically increase encrypted internet traffic when it launches next summer. The effort is being overseen by the Internet Security Research Group, which is the non-profit coalition of folks contributing to this effort. Not only is the effort going to offer free certificates, but also make it much easier to enable encryption.

We’ve argued for a long time about the importance of increasing encryption online, so it’s great to see this effort.

Filed Under: , , , , ,
Companies: cisco, eff, internet security research group, mozilla

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'”

Subscribe: RSS Leave a comment

Worrying example

Their How It Works page says:

enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:
$ sudo apt-get install lets-encrypt
$ lets-encrypt example.com
That?s all there is to it! https://example.com is immediately live.

If that second command is really going to work without sudo or any other authentication, that’s a bit worrying. A random unprivileged user shouldn’t be able to reconfigure the server.
The general idea looks nice, and I hope it will work for email too. But Mozilla should really implement DANE support as soon as possible, to ensure this CA is only a temporary solution (for old browsers).


You don’t need a certificate to encrypt a connection the certificate is merely to prove that someone is who they say they are. So I don’t see how a certificate authority makes it ‘easier’ to enable encryption.

With regard to offering free certificates do they do background checks on those requesting a certificate or can anyone just get one?


Browsers and Certificate Authorities

Internet Browsers (FireFox, Chrome, Safari) and aspiring Internet Browsers (IE) have a list of certificates they trust.

The organizations that create browsers and wannabe browsers decide for themselves which root certificates they trust. Or more importantly which Certificate Authorities (CAs) they trust.

The requirements to get a certificate depend on the policies of the CA.

Of course, to get included in the trusted roots of the major browsers, and browser wannabe, a CA has to jump through all of the hoops that each organization has for inclusion in its browser. It’s way more complex than this, but simply, these requirements ensure that browsers only trust certificates issued by CA’s that you would want to trust.

In general, a certificate merely indicates that it really is for the domain name you typed into the address bar. For example, the certificate from Amazon.com ensures that (as long as you trust the root CA who signed it) this certificate really is from Amazon.com. The CA who signed it is certifying that the certificate wasn’t just handed out willy nilly to just anyone off the street who wanted a certificate that says “Amazon.com”.

Some CA’s offer various levels of assurance of the identity of who the certificate is issued to. But at the most basic level, it is ensuring that the server that answered your SSL is one that holds the certificate.


Re: Browsers and Certificate Authorities

I understand what it does but I think one of the functions of having a CA is partly to ensure that only entities who went through a greater degree of scrutiny in identifying themselves get certified. I think this makes it easier for anyone to get a cert and trick people into thinking they are more trustworthy than they really are.

Joel Coehoornsays:


You DO need a certificate to encrypt a connection. While there are encryption schemes that don’t use certs, if you want a web browser to use SSL, certs are where it’s at.

What you don’t need is a signed certificate, or a certificate authority. But without a system of trust enabled by valid certificate authorities, encryption itself isn’t much. As it’s been said, “Encryption guarantees a conversion is private, but you could be having a private conversation with Satan”. CA’s enable you to have confidence that the person on the other end of the line is who they say they are… at least, that’s what they’re supposed to do.


MITM attacks

MITM = Man In The Middle (or monkey in the middle)

Follow my chain of thinking here.

Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.

This would let every web site use encryption without cost or jumping through any hoops.

But you wouldn’t know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you’re talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.

The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you’re talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.

Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.

But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.

Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?

If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority “Honest Achmed’s Trusty Certificates of Tehran Iran”, then what do you think? Do you really think Google bought it’s certificate from Honest Achmed’s?


Re: MITM attacks

I think we need a decentralized way of dealing with it. Maybe have a certificate be issued by one of those trusted peers but recognized by others so when your browser checks for the authenticity you have a group confirmation that it is valid. Achmed would bear little to no weight if all the main CAs regularly disagree with him. I’m not sure if it’s feasible or even if it should be done this way but we should work into it.


Re: We already have a free certificate authority

“they’re not trusted by any browser. I can’t imagine this will be either.”

Except that Mozilla has 2 board members, which probably means some level of support will be happening in Firefox.


ISRG Board of Directors

ISRG is overseen by individuals from a variety of backgrounds. Our current board members are:

Josh Aas (Mozilla) ? ISRG Executive Director
Stephen Ludin (Akamai)
Dave Ward (Cisco)
J. Alex Halderman (University of Michigan)
Andreas Gal (Mozilla)
Jennifer Granick (Stanford Law School)
Alex Polvi (CoreOS)
Peter Eckersley (EFF) ? Observer


This is something one of my own sites need when your common certificate validation services seem a bit expensive where an annual subscription seems criminal.

I can understand the EFF’s point when many site owners when stuck between a large annual fee and to go cost free no encryption can choose the latter.

Even if the EFF do charge a one off fee then any site owners would be very happy indeed. It is only a bitch we need to wait until the summer but I am all ears.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it