Last November the Electronic Frontier Foundation announced Let’s Encrypt, a new free and open certificate authority for the public. The initiative aims to make trusted certificates available to anyone at no cost.
The idea behind Let’s Encrypt is to transition as many domains as possible from HTTP to HTTPS by providing a virtually painless one-click enrollment process during the server’s native installation.
The Let’s Encrypt certificate authority is set to launch mid-2015. Last month, Automattic joined Mozilla, Cisco, EFF and several other organizations as a major sponsor of the initiative. I spoke with Barry Abrahamson, Chief Systems Wrangler at Automattic, to find out if the company has any plans beyond helping to fund the effort.
“We don’t have any concrete plans past the sponsorship at this point, but we hope to help bring SSL support to as many WordPress sites as we can,” he said.
Last year Automattic implemented SSL for all *.wordpress.com subdomains as part of the Reset the Net campaign against mass surveillance. The company’s Akismet product recently transitioned all calls to its API to use SSL in order to better secure commenter data.
While many larger WordPress sites have made the move to SSL, the average self-hosted WordPress user is likely to have a tricky time setting it up. That’s why initiatives like “Let’s Encrypt” are so important.
However, skeptics aren’t fully convinced that the new certificate authority will make the web any safer from prying government eyes. Privacy advocate Alexander Hanff wrote a post explaining why he believes that a new super certificate authority will paint a target on those who use it.
Certificate Authorities are the weakest link in the digital security chain. They have the power to issue special master keys (for want of better phrase) which allows a third party to pretend to be someone they are not. In essence, this means if compelled by a secret court order, a certificate authority can provide special certificates to any intelligence agency or other law enforcement body, which will allow them to masquerade as someone else (your bank, Facebook, Google – anyone who uses that certificate authority for their SSL certificates)
He notes that secret court orders are almost always accompanied by a gag order so that the certificate authority cannot reveal that they have issued special certificates to the government. If the government has unfettered access to “super master keys” for thousands of domains, expedited by a new free certificate authority aiming to “encrypt the entire web,” then certificate based encryption is rendered worthless.
The Let’s Encrypt initiative is positioned to have a radical impact on the number of encrypted sites on the web. Bringing encryption to the masses means that more people will be better protected against attacks such as account hijacking and identity theft. However, if you use the new free certificate authority, it’s important to understand that your communications may not be secure from government surveillance. Free SSL certificates for everyone will come at a price.