EFF Launches Initiative To Encrypt The Web With Free HTTPS Certificates

After the Snow

den revelations, we've seen some decent attempts at encrypting the Web, from large companies adopting Perfect Forward Secrecy (key rotation to protect previous communications in case one key is stolen) to Google encouraging HTTPS connections by giving rewarding websites with HTTPS with higher rankings in its search engine.

However, these moves have barely put a dent into the vast majority of the unencrypted Web out there. One major change that started to make a more significant difference was Cloudflare's new free SSL encryption. Cloudflare is a CDN and DNS provider that now allows even its two million no-pay members to enable SSL/TLS encryption, free of cost.

This free encryption isn't without any compromises, though. It's a major move in the right direction, but the traffic is only encrypted from the user's computer to Cloudflare's cache of the site. The traffic is not encrypted between Cloudflare and the site, and while that should still largely protect the users' privacy, it still leaves the sites open to some attacks.

EFF announced a new initiative today that aims to give site owners the full SSL encryption they need to protect their users from dragnet surveillance, or from simple hacks or traffic interception at local coffee shops. This initiative is called "Let's Encrypt" and will give anyone who asks for it a free SSL/TLS certificate that should be easy to install. This all begins in summer 2015 when the project launches.

Let's Encrypt aims to research and implement more modern security techniques and best practices. For example, it will use an automated certificate management protocol, called ACME and developed by the group, that includes support for stronger forms of domain validation.

EFF claimed that much of the software code will be open source and that the records for certificate issuance and revocation will be available to the public. EFF is aiming to make everything as transparent as possible.

The Let's Encrypt initiative is sponsored by EFF, Mozilla, Akamai (a major Cloudflare competitor), Cisco and others. Let's Encrypt will be overseen by Internet Security Research Group, a public benefit corporation from California.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • WyomingKnott
    An improvement, but if you hand out certificates like candy you may be making man-in-the-middle attacks easier.
  • jasonkaler
    Adds a false sense of security. It doesn't help if you are connecting to a site who's certificate was given away for free - the communication may be private but how do you know the site itself is not fake?
    You would be able to set up phishing sites with ssl and no credit card trail to the actual owner thus no liability or traceability.