A sea change in HTTPS web encryption is coming and it's free

Free, trusted certificates for everyone

lets encrypt logo
Credit: Wikimedia

Achieving HTTPS everywhere has been a goal for years now. Spearheaded by Google, security experts agree that it just makes more sense to push all communication as encrypted traffic. To do that, servers use an SSL certificate to encrypt and sign the transmission and prove the identity of the server, preventing forgery or hijacking. In order for that SSL certificate to be trustworthy however, it must be approved, signed, and issued by a trusted certificate authority (CA). 

Becoming a certificate authority is no simple task. It can take years and hundreds of thousands of dollars. As such, the certificate authorities are in it to make a profit by selling their trusted certificates to each domain that wishes to encrypt their traffic to the public. These trusted certificates range from as little as $20/year to as much as $2,000/year for each domain name you want to secure.

The process of obtaining and installing a trusted certificate if fairly technical and can be very expensive. Add to that the fact that certificates expire regularly (usually 1 or 2 years) and you have to repeat the process for all of your domains. Because of the required cost and effort, system administrators have reserved applying HTTPS only to sites which absolutely need it, such as e-commerce sites or sensitive medical or financial systems.

To help push the adoption of HTTPS for all sites forward, Google has gone so far as to offer a boost in its search rankings for sites which are served over HTTPS. Their engineers have even contributed large improvements to the TLS protocol which dramatically improves the performance of sites served securely. Despite those incentives and improvements, adoption has still be slow due to the cost of the trusted certificates.

This month, the final hurdle (aside from configuration) has been removed thanks to the Electronic Frontier Foundation (EFF). The EFF has gone through the wringer to become a certificate authority and will begin offering trusted SSL certificates to the public, for free, in the coming days. The official certificate authority is called Let's Encrypt and it just issued its first certificate 10 days ago. 

lets encrypt logo.svg Wikimedia

As of today, Let's Encrypt has not yet been added as a trusted authority and will not be seen as a valid signer of SSL certificates by major web browsers. You'd have to manually install their root certificate in order for the authority to appear as valid, something a normal user isn't going to do. Fortunately the root certificate is inline to be cross-signed by IdenTrust's root certificate, one of the most common authorities accepted by web browsers. Once the cross-signing is complete, essentially every web browser out there will trust the new Let's Encrypt certificates - this is slated to happen within the next 30 days. 

Let's Encrypt has set a public availability date of November 14th 2015, at which time their root certificate will have been cross-signed and the general public will be able to obtain free, trusted certificates. This fall, a new era of easily obtained web security will arrive. HTTPS will become the new normal for sites over the coming years at a pace previously unseen.  

ITWorld DealPost: The best in tech deals and discounts.