Secure websites have always been standard for ecommerce companies like Amazon or Shopify, and in recent years companies that handle private communications like Google and Facebook have invested millions of dollars in enabling encryption for all users. But what about everyone else?
Since it was created in 1991, the web has been a democratizing force where anyone can setup a webpage (or blog, or ecommerce store), but these pages would be insecure by default. The theory was that security was something that users wanted from banks and eCommerce and perhaps their email provider, but not from regular sites. But the reality is that everyone should be able to access information without others listening in. And, critical security issues like session hijacking can only be resolved by securing sites’ servers. Over the next several years, we can transition to a world where every website is secure, and users can be confident that no one is listening in, changing or hijacking their communications.
The Let’s Encrypt project, supported by Cisco, EFF, Facebook, Mozilla and many more, is enabling this change through collaborative development and open source. It allows website owners to obtain SSL certifications through a free and simple process that takes no longer than a few minutes to complete. The result will be a safer and more secure Internet for all of us.
This week the project takes a huge step toward that future with its Public Beta. After issuing more than 25,000 certificates during the Private Beta, anyone can now get a certificate for free. Our Security Director Emily Ratliff participated in the Private Beta and reports that “the whole Let’s Encrypt process took much less time than getting and installing an SSL certificate in the traditional manner. It is also much less error prone since it is more automated with fewer steps.”
In tech, improvements are always measured by reductions in cost and improvements in speed and efficiency. Those benefits are clear with Let’s Encrypt. But there is a much bigger benefit to anyone who uses the Internet: safety, privacy and confidence that more and more of our online communications are protected. Let’s Encrypt is truly a work of passion by an open source community dedicated to ensuring that the world’s communications platform delivers on their promise.
The public beta is a critical milestone, in that website administrators no longer need to pay for certificates or deal with the hassles of renewal and manual updates. I’m equally excited to see how Let’s Encrypt’s open source technology is integrated into major hosting sites over the coming months and years, so that security for regular people will move from an optional, expensive add-on to “of course it’s included.”
My longtime colleague and friend Marten Mickos posted on Twitter this week, “not keeping security secret is the secret to good security.” Let’s Encrypt is another example of building the world’s most critical technology infrastructure through openness and transparency.