Let's Encrypt
Formation | 2014 |
---|---|
Founder | EFF, Mozilla, U-M |
Headquarters | San Francisco |
Services | X.509 certificate authority |
Parent organization | Internet Security Research Group |
Website | letsencrypt |
Let's Encrypt is an upcoming certificate authority to be launched in late 2015 that will provide free X.509 certificates for Transport Layer Security encryption (TLS) via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation and renewal of certificates for secure websites.[1][2]
Overview
The project aims to make encrypted connections in the World Wide Web the default case. By getting rid of payment, web server configuration, validation emails and dealing with expired certificates it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.[3] On a Linux web server, execution of only two commands is said to be sufficient in order to set up HTTPS encryption, acquire and install certificates within 20 to 30 seconds.[4][5]
To that end, the inclusion of a software package into the official Debian software repositories is being worked on.[6] Current initiatives of big browser vendors to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt.[7][8] The project is acknowledged to have the potential to accomplish encrypted connections as the default case for the entire web.[9]
So-called domain validation certificates are being issued. Organization validation and Extended Validation Certificates will not be offered.[10]
Being as transparent as possible is hoped to both protect their own trustworthiness and guarding against attacks and manipulation attempts. For that purpose they regularly publish transparency reports,[11] publicly log all ACME transactions, and use open standards and free software as much as possible. [4]
The name of the certificate authority software "Boulder" is a hint at a product of the fictional Acme Corporation from the animated cartoon series around Wile E. Coyote and The Road Runner.
Involved parties
Let's Encrypt is a service provided by the Internet Security Research Group (ISRG), a public benefit organization. Major sponsors are the Electronic Frontier Foundation (EFF), the Mozilla Foundation, Akamai, and Cisco Systems. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), the Stanford Law School, the Linux Foundation[12] as well as Stephen Kent from Raytheon/BBN Technologies and Alex Polvi from CoreOS.[4]
Technology
Let's Encrypt owns a RSA root certificate that is stored on a Hardware security module and doesn't get used directly. It is meant to be replaced by an ECDSA certificate later. It will be used to sign two intermediate certificates which are cross-signed by the certificate authority IdenTrust.[13] One of these will be used to sign issued certificates, the other as backup in case of problems with the first one. Because the IdenTrust certificate is preinstalled in major web browsers, Let's Encrypt certificates can normally be validated and are accepted out of the box right from the start. [14] In the long run, it is projected to get Let's Encrypt certificates preinstalled into applications directly.
Protocol
The challenge–response protocol used to automate enrolling with this new certificate authority is called Automated Certificate Management Environment (ACME). It involves various requests to the web server on the domain that is covered by the certificate. Based on whether the resulting responses match the expectations, control of the enrollee over the domain is assured (domain validation). In order to do that, the ACME client software sets up a special TLS server on the server system that gets queried by the ACME certificate authority server with special requests using Server Name Indication (Domain Validation using Server Name Indication, DVSNI). This process is only accepted for the first certificate being issued for any given domain (trust on first use, TOFU). Afterwards, the alternative way of validation via an existing certificate is used. Therefore, if control over an existing certificate is lost, a certificate has to be acquired from a third party in order to be able to obtain another Let's Encrypt certificate.
The validation processes are run multiple times over separate network paths. Checking DNS entries is provisioned to be done from multiple geographically diverse locations to make DNS spoofing attacks harder to do.
ACME interactions are based on exchanging JSON documents over HTTPS connections.[15] A draft specification is available on GitHub,[16] and a version has been submitted to the Internet Engineering Task Force (IETF) as a proposal for an Internet standard.[17]
Software implementation
The certificate authority basically consists of a piece of software called Boulder, written in Go, that implements the server side of the ACME protocol. It is published as free software with source code under the terms of version 2 of the Mozilla Public License (MPL).[18] It provides a RESTful API that can be accessed over a TLS-encrypted channel.
An Apache-licensed[19] Python certificate management program called letsencrypt
gets installed on the client side (the web server of an enrollee). This is used to order the certificate, to conduct the domain validation process, to install the certificate, to configure the HTTPS encryption in the HTTP server, and later to regularly renew the certificate.[20][4] After installation and agreeing to the user license, executing a single command is enough to get a valid certificate installed. Additional options like OCSP stapling or HTTP Strict Transport Security (HSTS) can also be enabled.[15] Automatic setup initially only works with Apache and nginx.
History and schedule
Roots of the project lie in a project run by the Electronic Frontier Foundation in cooperation with the University of Michigan and an independent project by Mozilla that were combined into Let's Encrypt. In 2014, the mother organisation, the ISRG, was founded. The start of Let's Encrypt was announced on November 18, 2014.[21]
On January 28, 2015, the ACME protocol was officially submitted to the IETF for standardisation.[22] On April 9, 2015, the ISRG and the Linux Foundation declared their collaboration.[12] The root and intermediate certificates were generated in the beginning of June.[14] On June 16, 2015, the final launch schedule for the service was announced, with the first certificate expected to be issued sometime in the week of July 27, 2015, followed by a limited issuance period to test security and scalability. General availability of the service is expected to begin sometime in the week of September 14, 2015, provided everything goes as planned.[23] On August 7, 2015, the launch schedule was amended to provide more time for ensuring system security and stability, with the first certificate to be issued in the week of September 7, 2015 followed by general availability in the week of November 16, 2015.[24] The cross-signature from IdenTrust is planned to be available when Let's Encrypt opens for the public.[13]
On September 14, 2015, Let's Encrypt issued its first certificate, which was for the domain helloworld.letsencrypt.org. On the same day, ISRG submitted its root program applications to Mozilla, Microsoft, Google and Apple.[25]
Further reading
- Richard Barnes, Jacob Hoffman-Andrews, James Kasten (21 July 2015), IETF (ed.), "Automatic Certificate Management Environment (ACME)", Active Internet-Drafts
{{citation}}
: CS1 maint: multiple names: authors list (link) (latest standardisation draft of the ACME specification)
References
- ^ Kerner, Sean Michael (November 18, 2014). "Let's Encrypt Effort Aims to Improve Internet Security". eWeek.com. Quinstreet Enterprise. Retrieved February 27, 2015.
- ^ Eckersley, Peter (November 18, 2014). "Launching in 2015: A Certificate Authority to Encrypt the Entire Web". Electronic Frontier Foundation. Retrieved February 27, 2015.
- ^ Liam Tung (ZDNet), November 19, 2014: EFF, Mozilla to launch free one-click website encryption
- ^ a b c d Fabian Scherschel (heise.de), November 19, 2014: Let's Encrypt: Mozilla und die EFF mischen den CA-Markt auf
- ^ Rob Marvin (SD Times), November 19, 2014: EFF wants to make HTTPS the default protocol
- ^ ITP: letsencrypt – Let's Encrypt client that can update Apache configurations
- ^ Richard Barnes (Mozilla), April 30, 2015: Deprecating Non-Secure HTTP
- ^ The Chromium Projects – Marking HTTP As Non-Secure
- ^ Glyn Moody, November 25, 2014: The Coming War on Encryption, Tor, and VPNs – Time to stand up for your right to online privacy
- ^ Steven J. Vaughan-Nichols (ZDNet), April 9, 2015: the web once and for all: The Let's Encrypt Project
- ^ Zeljka Zorz (Help Net Security), July 6, 2015: Let's Encrypt CA releases transparency report before its first certificate
- ^ a b Sean Michael Kerner (eweek.com), April 9, 2015: Let's Encrypt Becomes Linux Foundation Collaborative Project
- ^ a b Reiko Kaps (heise.de), June 17, 2015: SSL-Zertifizierungsstelle Lets Encrypt will Mitte September 2015 öffnen
- ^ a b Reiko Kaps (heise.de), June 5, 2015: Let's Encrypt: Meilenstein zu kostenlosen SSL-Zertifikaten für alle
- ^ a b Chris Brook (Threatpost), November 18, 2014: EFF, Others Plan to Make Encrypting the Web Easier in 2015
- ^ "Draft ACME specification".
- ^ R. Barnes, P. Eckersley, S. Schoen, A. Halderman, J. Kasten (January 28, 2015). "Automatic Certificate Management Environment (ACME) draft-barnes-acme-01".
{{cite web}}
: CS1 maint: multiple names: authors list (link) - ^ https://github.com/letsencrypt/boulder/blob/master/LICENSE.txt
- ^ https://github.com/letsencrypt/letsencrypt/blob/master/LICENSE.txt
- ^ James Sanders (TechRepublic), November 25, 2014: Let's Encrypt initiative to provide free encryption certificates
- ^ Joseph Tsidulko (2014-11-18). "Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode". crn.com. Retrieved 2015-08-26.
- ^ History for draft-barnes-acme
- ^ Josh Aas (June 16, 2015). "Let's Encrypt Launch Schedule". letsencrypt.org. Let's Encrypt. Retrieved June 19, 2015.
- ^ "Updated Let's Encrypt Launch Schedule". August 7, 2015.
- ^ Michael Mimoso. "First Let's Encrypt Free Certificate Goes Live". Threatpost.com, Kaspersky Labs. Retrieved 2015-09-16.
External links
- Official website
- Code repositories hosted on GitHub
- Seth Schoen's Libre Planet 2015 lecture on Let's Encrypt
- technical introduction in a blog post by David Wong
- pde's talk on Let's Encrypt at CCCamp 2015