EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'
from the very-cool dept
The EFF and Mozilla along with some others, have teamed up to announce "Let's Encrypt" which is a new, free, certificate authority that is hoping to dramatically increase encrypted internet traffic when it launches next summer. The effort is being overseen by the Internet Security Research Group, which is the non-profit coalition of folks contributing to this effort. Not only is the effort going to offer free certificates, but also make it much easier to enable encryption.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificate authority, encryption, https, let's encrypt, security, ssl
Companies: cisco, eff, internet security research group, mozilla
Reader Comments
Subscribe: RSS
View by: Time | Thread
Worrying example
The general idea looks nice, and I hope it will work for email too. But Mozilla should really implement DANE support as soon as possible, to ensure this CA is only a temporary solution (for old browsers).
[ link to this | view in chronology ]
Re: Worrying example
[ link to this | view in chronology ]
Re: Re: Worrying example
[ link to this | view in chronology ]
With regard to offering free certificates do they do background checks on those requesting a certificate or can anyone just get one?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
"nyone who owns a domain can get a certificate validated for that domain at zero cost."
and there is
https://letsencrypt.org/howitworks/technology/
and a repository on github
https://github.com/letsencrypt/acme-spec
Though I expect it may change as launch approaches.
[ link to this | view in chronology ]
Re: Re:
With the new CA, anyone will be able to get a certificate, but they'll have a hard time getting it signed with as belonging to "Google, Inc."
[ link to this | view in chronology ]
Browsers and Certificate Authorities
The organizations that create browsers and wannabe browsers decide for themselves which root certificates they trust. Or more importantly which Certificate Authorities (CAs) they trust.
The requirements to get a certificate depend on the policies of the CA.
Of course, to get included in the trusted roots of the major browsers, and browser wannabe, a CA has to jump through all of the hoops that each organization has for inclusion in its browser. It's way more complex than this, but simply, these requirements ensure that browsers only trust certificates issued by CA's that you would want to trust.
In general, a certificate merely indicates that it really is for the domain name you typed into the address bar. For example, the certificate from Amazon.com ensures that (as long as you trust the root CA who signed it) this certificate really is from Amazon.com. The CA who signed it is certifying that the certificate wasn't just handed out willy nilly to just anyone off the street who wanted a certificate that says "Amazon.com".
Some CA's offer various levels of assurance of the identity of who the certificate is issued to. But at the most basic level, it is ensuring that the server that answered your SSL is one that holds the certificate.
[ link to this | view in chronology ]
Re: Browsers and Certificate Authorities
[ link to this | view in chronology ]
Re: Re: Browsers and Certificate Authorities
[ link to this | view in chronology ]
Re: Re: Browsers and Certificate Authorities
[ link to this | view in chronology ]
Re: Re: Re: Browsers and Certificate Authorities
[ link to this | view in chronology ]
Re: Re: Re: Re: Browsers and Certificate Authorities
[ link to this | view in chronology ]
Re:
What you don't need is a *signed* certificate, or a certificate authority. But without a system of trust enabled by valid certificate authorities, encryption itself isn't much. As it's been said, "Encryption guarantees a conversion is private, but you could be having a private conversation with Satan". CA's enable you to have confidence that the person on the other end of the line is who they say they are... at least, that's what they're supposed to do.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
MITM attacks
Follow my chain of thinking here.
Maybe the web needs a protocol that is like Http, but encrypted, without attempting to prove the identity of the other end by using certificates.
This would let every web site use encryption without cost or jumping through any hoops.
But you wouldn't know for sure that you are really talking to the web site that you think you are talking to. For most web surfing this is okay. But when you're talking to your Bank, or to Amazon.com for example, you really do want to be sure who the other end is that you are talking to.
The weakness of this is that anyone, especially TLAs could easily execute a MITM attack. You think you're talking to Facebook, and your traffic really is encrypted, but you are really talking to a different server that in turn makes your requests to the real Facebook, and relays the replies from it.
Without certificates to prove identity, mere encryption gives a pretty weak assurance of privacy, and in fact creates an illusion of strong privacy.
But TLAs need only compromise one of the hundreds of Certificate Authorities. All they need is for some CA to give the TLA a signing certificate for, say, Google. Then they can do the MITM attack.
Back in the day when there were only about four CAs (certificate authorities), it was easy to trust them. Or at least easier. Today with hundreds, do you really trust every CA?
If you browse to Google, and the certificate is a genuine Google.com certificate, but it was issued by the certificate authority "Honest Achmed's Trusty Certificates of Tehran Iran", then what do you think? Do you really think Google bought it's certificate from Honest Achmed's?
[ link to this | view in chronology ]
Re: MITM attacks
[ link to this | view in chronology ]
Re: MITM attacks
[ link to this | view in chronology ]
We already have a free certificate authority
[ link to this | view in chronology ]
Re: We already have a free certificate authority
Except that Mozilla has 2 board members, which probably means some level of support will be happening in Firefox.
https://letsencrypt.org/about/
ISRG Board of Directors
ISRG is overseen by individuals from a variety of backgrounds. Our current board members are:
Josh Aas (Mozilla) — ISRG Executive Director
Stephen Ludin (Akamai)
Dave Ward (Cisco)
J. Alex Halderman (University of Michigan)
Andreas Gal (Mozilla)
Jennifer Granick (Stanford Law School)
Alex Polvi (CoreOS)
Peter Eckersley (EFF) — Observer
[ link to this | view in chronology ]
Re: We already have a free certificate authority
[ link to this | view in chronology ]
And they still use StartCom...
eff.org is still one of those - which makes me sad
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can understand the EFF's point when many site owners when stuck between a large annual fee and to go cost free no encryption can choose the latter.
Even if the EFF do charge a one off fee then any site owners would be very happy indeed. It is only a bitch we need to wait until the summer but I am all ears.
[ link to this | view in chronology ]
Thanks
[ link to this | view in chronology ]