After the Snow
den revelations, we've seen some decent attempts at encrypting the Web, from large companies adopting Perfect Forward Secrecy (key rotation to protect previous communications in case one key is stolen) to Google encouraging HTTPS connections by giving rewarding websites with HTTPS with higher rankings in its search engine.
However, these moves have barely put a dent into the vast majority of the unencrypted Web out there. One major change that started to make a more significant difference was Cloudflare's new free SSL encryption. Cloudflare is a CDN and DNS provider that now allows even its two million no-pay members to enable SSL/TLS encryption, free of cost.
This free encryption isn't without any compromises, though. It's a major move in the right direction, but the traffic is only encrypted from the user's computer to Cloudflare's cache of the site. The traffic is not encrypted between Cloudflare and the site, and while that should still largely protect the users' privacy, it still leaves the sites open to some attacks.
EFF announced a new initiative today that aims to give site owners the full SSL encryption they need to protect their users from dragnet surveillance, or from simple hacks or traffic interception at local coffee shops. This initiative is called "Let's Encrypt" and will give anyone who asks for it a free SSL/TLS certificate that should be easy to install. This all begins in summer 2015 when the project launches.
Let's Encrypt aims to research and implement more modern security techniques and best practices. For example, it will use an automated certificate management protocol, called ACME and developed by the group, that includes support for stronger forms of domain validation.
EFF claimed that much of the software code will be open source and that the records for certificate issuance and revocation will be available to the public. EFF is aiming to make everything as transparent as possible.
The Let's Encrypt initiative is sponsored by EFF, Mozilla, Akamai (a major Cloudflare competitor), Cisco and others. Let's Encrypt will be overseen by Internet Security Research Group, a public benefit corporation from California.