Last week, Let’s Encrypt came out of beta. Let’s Encrypt is a collaborative effort that provides free SSL/TLS certificates for use by anyone with a valid Internet domain. It's also a trusted certificate authority, and it's currently issuing 90-day certificates free of charge. The upside is free SSL/TLS certificates. The downside is that 90-day expiration, though there are methods to renew the certificates automatically as the expiration approaches.
Further, the tools provided by Let’s Encrypt make it pretty much effortless to implement. The Let’s Encrypt Python tool available at GitHub runs on a Web server, requests a valid certificate, and even does the Apache configuration for you, all with a pretty ncurses UI. Basically, you run this on a host with a bunch of non-SSL domains, and when it’s done, they’re all secured with free valid certificates.
Automated support for other Web servers such as Nginx is in the works, but the tools also function as a CLI, meaning you can easily integrate this into any Web service manually, and run those commands on a routine basis via anacron to ensure that you get a new certificate before the existing certificate expires.
This 90-day expiration is quite short and frankly a bit of a pain, but for a first launch it is a reasonable balance. If nefarious plans are made with some of these certs, the damage will be limited to only a few months and the certificates will not be renewed. Perhaps as time wears on, trusted clients will be granted longer expiration periods. This is a bit of an experiment, after all -- and yet Let's Encrypt has already distributed more than 100,000 certificates.
The upshot is Let’s Encrypt has the power to bring security to organizations that should already be using encryption, but find the process daunting or perhaps aren’t even cognizant of the risk they’re taking without it. Some fairly major websites and mobile apps are woefully lacking in this area, and consequently exposing user information, credit card data, and other sensitive information through cleartext transmission. This is a problem that Let’s Encrypt is hoping to reduce, if not eliminate. Essentially, Let's Encrypt is removing any excuses for not encrypting Web applications and services.
Let’s Encrypt knows a thing or two about how this works. Sponsors include Cisco, Mozilla, the Electronic Frontier Foundation, and Akamai, as well as Facebook, IdenTrust, and a host of other knowledgeable Internet companies. This isn’t a rinky-dink operation.
At the same time that these Internet heavyweights are backing the push for universal encryption, we’re still hearing that various governments around the world are trying to subvert encryption standards. Kazakhstan has announced it will man-in-the-middle every secured communication in or out of the country, starting on Jan. 1. Whether or not it can actually do so may be immaterial, because the country has also stated it will monitor the Internet activities of every person within its borders and of those who communicate with outside those borders. France announced it would like to ban Tor and public Wi-Fi networks, though the prime minister later said it was perhaps a bit much -- regardless, there is no mistaking the intent.
In the United States, politicians who grapple with a concept as simple as email (and some might say, reality itself) are making public statements about how encryption is dangerous and should be controlled. They're even going so far as to state that this whole Internet thing is a bad idea and needs to be "closed up."
To a dispassionate observer, this isn’t really an argument or a debate. The brains behind the companies that make the Internet work are not only against the idea of insecure encryption; they’re actively backing methods to increase the prevalence of encryption worldwide. They know exactly what’s at stake here and how undermining strong encryption would impact their own corporations, not to mention the economy of the entire world. The politician may pander to the layman with rhetoric about technologies that neither of them understand, but the real world will continue doing what needs to be done: securing communications across the Internet at every endpoint.
At some level, we might think that the use of strong encryption is a foregone conclusion, and we do not need to address the ramblings of demagogues, but we ignore this at our own peril. Though it may seem absurd to defend that which seems to need no defense, defend we must -- and encrypt we shall.