A Scheme to Encrypt the Entire Web Is Actually Working

APPLE’S MOVE TO encrypt your iPhone and WhatsApp’s rollout of end-to-end encrypted messaging have generated plenty of privacy applause and law enforcement controversy. But more quietly, a small non-profit project has enacted a plan to encrypt the entire global web. And it’s working.

Earlier this week, the San Francisco-based Internet Security Research Group (ISRG) announced that the initiative it calls Let’s Encrypt is coming out of beta—and that it’s making serious headway toward helping tens of millions of unencrypted sites around the world switch from the insecure web standard HTTP to HTTPS, which encrypts your web browsing to protect it from surveillance. Without that layer of encryption, a regular HTTP connection can be intercepted and read by anyone between a web visitor’s browser and the site he or she is visiting—whether a hacker on the same Wi-Fi network, an internet service provider, or a government agency. Since launching less than six months ago, Let’s Encrypt has helped 3.8 million websites switch to HTTPS encryption, taking a significant chunk out of the unprotected web data that’s available to those eavesdroppers.

“Frankly it’s irresponsible how much of our information goes flying around the web in the clear. Anyone can just pull it down and read it. That’s not what people should expect from such an important network today,” says Josh Aas, the founder of the Internet Security Research Group, who officially works for Mozilla but runs Let’s Encrypt for ISRG. “We want to feel that when we’re using [the web] we have privacy…Our goal is to get to one hundred percent encryption.”

Let’s Encrypt has tried to make it easier for websites to switch from HTTP to HTTPS by flattening one of the biggest hurdles in the process: certificates. Let’s Encrypt functions as a certificate authority, one of the dozen or so organizations like Comodo, Symantec, Godaddy and Globalsign that verify that servers running HTTPS web sites are who they claim to be. (A carefully-secured web connection isn’t much good if you’re sending private data to a spoofed site.) Once verified, these authorities issue those computers a “certificate” they need to make their HTTPS encryption work with your browser. The certificate is designed to be an unforgeable signature that’s cryptographically checked by your browser so that you can be sure your communications are decrypted only by the intended site and not an impostor.

Unlike commercial certificate authorities, however, Let’s Encrypt is free, thanks to corporation sponsorship from companies including Cisco, Google and Akamai. It’s available to websites anywhere in the world—even far-flung countries like Cuba and Iran that sometimes aren’t served by other major certificate authorities. And it’s automatically configured with a piece of code that runs on any server that wants to switch on HTTPS. “This is the silver bullet that…lowers the barrier to encrypted web communications,” says Ross Schulman, the co-director of the cybersecurity initiative at the New America Foundation. “It brings the cost of executing a secure website down to zero.”

All of that has led to a noticeable tectonic shift in the layer of encryption unfolding across the web. The 1.8 million certificates Let’s Encrypt has issued to 3.8 million websites make it the third-largest certificate authority in the world now, according to Aas, behind Comodo and Symantec. And because 85 percent of those sites never had HTTPS before, it’s already significantly boosted the total fraction of sites that are encrypted on the web as a whole. Based on numbers Mozilla gathers from Firefox users, encrypted sites now account for more than 42 percent of page visits, compared with 38.5 percent just before Let’s Encrypt launched. And Aas says that number is still growing at close to one percent a month. “For the web, that’s a rate of change that you don’t usually see,” he says. “A lot of us have our eyes on that 50 percent mark.”

Let’s Encrypt’s free and automated HTTPS certification is designed to make it easy for individuals without technical expertise or resources to encrypt their sites. But its automation also helps big companies trying to roll out HTTPS to a large number of customers. WordPress, for instance, announced just last week that all sites hosted on WordPress with custom URLs will now be encrypted by default using Let’s Encrypt’s certificates. And that automation is set to get more sophisticated in the coming months, says Peter Eckersley, a technologist with the Electronic Frontier Foundation, which has helped to create and maintain the Let’s Encrypt certification software. Upcoming versions, he says, will be capable of more detailed configurations—geekier tasks like making sure the certificate properly displays its expiration date to browsers and uses the most secure encryption algorithms. “We want to not only get a certificate and install it for you, but also deal with all the behind the scenes settings to get things right and have HTTPS actually be secured,” Eckersley says.

Just how easy it is to get a Let’s Encrypt’s certificate hasn’t always been a good thing. In January, security firm Trend Micro pointed out that the group’s certificates were being used to encrypt the connections between malicious advertisements on a website the firm declined to name and on a server controlled by cybercriminals, who used that encrypted connection to install a banking trojan on visitors’ computers. After all, Let’s Encrypt only certifies that a site—or in this case, an element of a site—is encrypted by the server from which that content is loaded. Unlike some commercial certificates, it doesn’t claim to check who the organization is behind that server, which is a more manual and involved process.

Aas doesn’t pretend that all Let’s-Encrypt-certified sites are benevolent. “People ask if the bad guys use Let’s Encrypt. The answer is basically ‘yeah,’” he says. “But they’re also using a server, an ISP, a domain name. [An HTTPS] certificate is only a small part of their plan, and taking it away wouldn’t really change what’s going on.”

Allowing that kind of occasional criminal use of web encryption, Aas adds, is a small price to pay to help shut down a kind of low-hanging surveillance fruit of the web—one that’s available to any interloper, from a snoop on the Starbucks Wi-Fi network to Comcast to the NSA. “For any country that spies on its citizens and other countries’ citizens, when you put your information out there in the clear, it makes widespread surveillance easy,” says Aas. With ubiquitous HTTPS, he adds, “the price of surveillance goes up. There’s no free lunch anymore.”

Source | Wired