Automattic Sponsors Let’s Encrypt Initiative

lets-encrypt

Last November the Electronic Frontier Foundation announced Let’s Encrypt, a new free and open certificate authority for the public. The initiative aims to make trusted certificates available to anyone at no cost.

The idea behind Let’s Encrypt is to transition as many domains as possible from HTTP to HTTPS by providing a virtually painless one-click enrollment process during the server’s native installation.

The Let’s Encrypt certificate authority is set to launch mid-2015. Last month, Automattic joined Mozilla, Cisco, EFF and several other organizations as a major sponsor of the initiative. I spoke with Barry Abrahamson, Chief Systems Wrangler at Automattic, to find out if the company has any plans beyond helping to fund the effort.

“We don’t have any concrete plans past the sponsorship at this point, but we hope to help bring SSL support to as many WordPress sites as we can,” he said.

Last year Automattic implemented SSL for all *.wordpress.com subdomains as part of the Reset the Net campaign against mass surveillance. The company’s Akismet product recently transitioned all calls to its API to use SSL in order to better secure commenter data.

While many larger WordPress sites have made the move to SSL, the average self-hosted WordPress user is likely to have a tricky time setting it up. That’s why initiatives like “Let’s Encrypt” are so important.

However, skeptics aren’t fully convinced that the new certificate authority will make the web any safer from prying government eyes. Privacy advocate Alexander Hanff wrote a post explaining why he believes that a new super certificate authority will paint a target on those who use it.

Certificate Authorities are the weakest link in the digital security chain. They have the power to issue special master keys (for want of better phrase) which allows a third party to pretend to be someone they are not. In essence, this means if compelled by a secret court order, a certificate authority can provide special certificates to any intelligence agency or other law enforcement body, which will allow them to masquerade as someone else (your bank, Facebook, Google – anyone who uses that certificate authority for their SSL certificates)

He notes that secret court orders are almost always accompanied by a gag order so that the certificate authority cannot reveal that they have issued special certificates to the government. If the government has unfettered access to “super master keys” for thousands of domains, expedited by a new free certificate authority aiming to “encrypt the entire web,” then certificate based encryption is rendered worthless.

The Let’s Encrypt initiative is positioned to have a radical impact on the number of encrypted sites on the web. Bringing encryption to the masses means that more people will be better protected against attacks such as account hijacking and identity theft. However, if you use the new free certificate authority, it’s important to understand that your communications may not be secure from government surveillance. Free SSL certificates for everyone will come at a price.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

18 Comments


  1. This is awesome. I’ve been a little startled by Automattic’s blase attitude to https in the past, but it seems they’ve very much turned a leaf for the better and have gone from crappy supporters of https to one of the best. Big thumbs up to Automattic :)

    Report


    1. I’m guessing you wrote that up before you tried to use a client and set it up, right?

      Report


  2. Hi Sarah
    “The Let’s Encrypt certificate authority is set to launch mid-2015.”

    Sounds interesting and I’ll keep an eye out for your post when it’s launched.

    Report


  3. This is great, but as noted at the end of the article, it has a big weakness. Distributed certificate authorities (e.g. based on p2p, namecoin etc) that eliminate a centralized pressure point are critical long term.

    Report


  4. This is stupid. Encryption was never the point of SSL, the point was always to verify that the site you got to is actully the one you wanted. Encryption was needed to avoid forgery.

    Security 101 says that you need to identify the threat before deciding how to fight it. What threat exactly is the for me when I send unencrypted packet to the wptavern server?

    If the idea is to protect against countries snooping the traffic then it is mostly a fail.
    1. The ISPs still know what urls you have accessed
    2. Probably all countries have a root CA and they can issue certificates for any site on the net and conduct a MITM attack like the iranian goverment done against gmail several years ago.

    If the point is just encryption then it will be much simpler to have the browser handle self signed centificates in a less intimidating way then they do now, and provide utilities to create your own

    Report


    1. You are confusing PKI with SSL. Encryption is the point of SSL/TLS. Verification is where PKI comes in.

      Even if nation states can bypass SSL using rogue certs it doesn’t mean that the rest of society can. SSL is essential for protection against criminals, rogue ISPs and nosy neighbours as well.

      I should like to point out that in future we won’t be relying on CAs to sign our SSL certs. DANE and DNSSEC will allow us to sign our own certs that browsers can trust.

      You are wrong about 1 as well. At best the ISP knows what domain you are connecting to. Which pages and what content you are viewing is not known to the ISP because URLs, GET and POST requests are all encrypted.

      Report


      1. “SSL is essential for protection against criminals” who are they exactly? who are the criminals that can wiretap my communication in the ISP and why would he do that when it is much easier and much bigger gain to break into the servers of target, or actually any server at all. How will encrition prevent bad server security that will enable evil guy to use a weak password or will fix exploitable plugins?

        And yeh you are right so the will not know what exactly I sold on silk road but for some reason it never prevented the NSA from collecting data about who you called on the phone and when.

        The most idiotic part is of course that everybody is being monitored by google and facebook (and twitter and reddit on the tavern) so how exactly will encryption help me to protect myself from those giants? And how hard is it for the US government to search with legal means the DB of google? Totally worth it for any government to have a “mole” in google to be able to easily get the data.

        So there is infinitesimal privacy gain for most people while making it much harder for joe sixpack to create and maintain a site by himself with no required technical knowledge. I thought that wordpress was specifically aimed at those people but maybe I was wrong.

        Report


  5. In the USA you essentially dont have privacy. All emails, phone calls, web this and that is stored. Other nations I cannot speak to in that respect. All incoming or outgoing requests that go over US Fiber and be it through universities, gov. fiber or business fiber all of it is stored. Nothing to do with Google ot AT&T on your cellphone.

    Report


  6. This article appears to have fundamental misunderstandings of how SSL and CAs work.

    The danger described, which is real, of being snooped on through false certificates issued through a CA that co-operates with the government – does not have any special significance to a new free CA that it does not have to existing non-free CAs. The governments can already do this. Unless you use certificate pinning – and very few sites do, and not all browsers support it (https://projects.dm.id.lv/Public-Key-Pins_test#Browser_compatibility_test) – then *any* CA can *already* be used (if they comply) for creation of a valid certificate; it doesn’t have to be the same CA that your site uses for a browser to accept it.

    Also, there’s no special reason why a new/free CA should be more or less likely to comply with the government than a current/non-free one. (And the article leaves unexplained why this would be).

    Hence, the conclusions are just wrong. The cost of obtaining the certificate is irrelevant. The threat in regard of a state actor who can force CAs to comply for them is not changed one way or the other. For the article’s conclusions to make sense, 3 things would have to hold: 1) You’re using certificate pinning 2) Certificate pinning was being supported by all browsers, or at least all targeted ones, so that the threat could be detected, 3) The new free CA would have to be open to state requests for compliance whilst 4) The current paid CAs aren’t.

    Report


    1. Oh, and… remember that if the state actor can get co-operation from the data-centre where your site is hosted (whether willing, or forced through legal means), in order to just swipe your existing certificate’s private key from the server – then all questions about where your certificate came from are also moot, and nothing that happens with any CA, anywhere, can make any difference to your SSL security.

      Report


    2. I think the concern here is that a massive centralized certificate authority could facilitate more automated snooping with a larger pool of domains for which the government obtains super master keys. They certainly have the power to snoop anywhere and force any certificate authority to comply, but having a huge number of domains centralized like this might make it easier for them.

      Report


      1. Hi Sarah,

        That only has relevance to a world in which certificate pinning is being widely used – which is not the case today. Without certificate pinning, where a certificate comes from neither helps nor hinders the process of forging an alternative certificate. Moreover, when a certificate authority signs a certificate request, it doesn’t have the certificate’s private key. There’s no “pool” of private keys that they have access to, that a state or other actor would gain special privileges by accessing… it’s a key part of the design of SSL that the private key is private: even the certificate authority doesn’t know it.

        David

        Report


  7. Spot on my friend.

    The Internet is different than all previous communications forms that were bi-directional and analog based. As the internet continued on its natural progression so did and have the problems. Not just those in respect to security or privacy but social aspects as well. Nations abilities for example to exercise control over content, downloads, whatall (information) citizens have access to. Cultures clashed long before the Internet ever came along. Social clash happened long before the Internet came along.

    The fact its a disconnected medium not face to face affords a whole differing level as well in respect to even as little as common courtesy.

    Left to its own, this will simply escalate and get worse.

    Regulatory measure is on the horizon its really not a matter of if but when. Justification of it will be sold to the global public in a variety of marketable ways to be sure. But in order for that to occur there must be a consolidation. In order for that consolidation to take place the industry leaders need create that technology that affords regulatory capabilities. I believe we are in the very beginnings of this.

    Report


  8. There’s no reason why a new CA should be more or less likely to comply with Government than your current provider. The cost of obtaining the certificate is irrelevant.

    Report


  9. The last paragraphs warning about using a free certificate authority (CA) are wrong. Until certificate pinning is supported and used, any CA can issue a certificate for any site, whether it already uses a free CA or not.

    Oh, BTW: Both the US and Chinese governments are already CAs, so they don’t have to go though a 3rd party CA to issue fake certificates.

    Report


  10. The lets encrypt ssl certificate doesn’t support ngix-servers.
    But I have an ngix-server :(

    Report

Comments are closed.