Time to secure the Web? EFF says HTTPS can soon be the norm

Led by the Electronic Frontier Foundation, Let's Encrypt wants to make HTTP an oddity within a few years' time

circles of light network centralized radar concentric web crop

The Electronic Frontier Foundation on Tuesday announced a certificate authority effort to clear roadblocks in transitioning the Web from the HTTP protocol to the more secure HTTPS.

The initiative, called Let's Encrypt, was assembled by EFF along with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan, said Peter Eckersley, technology projects director at EFF, in a blog post. Plans call for launching Let's Encrypt next summer, with the authority automatically issuing and managing free certificates for any website needing them.

While successful, HTTP is inherently insecure, but HTTPS deployment has been stifled by complexity, bureaucracy, and the cost of certificates, Eckersley explained. "Whenever you use an HTTP website, you are always vulnerable to problems, including account hacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites," he said. "The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default."

Eckersly believes that "if we do our work right, it should only take a few years for HTTP to become unusual" and for the path to a fully encrypted Internet to be cleared.

While it currently takes a Web developer one to three hours to enable encryption for the first time, Let's Encrypt is meant to reduce the setup time to 20 to 30 seconds.

"Let's Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates," Eckersley said. The ACME (Automated Certificate Management Environment) protocol, in development, includes support for newer forms of domain validation. Internet-wide data sets of certificates, such as EFF's Decentralized SSL Observatory, also will be employed, as will Google's Certificate Transparency logs. The authority is to be operated by a new nonprofit organization, called Internet Security Research Group.