EFF, Mozilla back new certificate authority that will offer free SSL certificates

A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.

The new CA will be called Let's Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.

The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol -- the more secure successor of SSL (Secure Sockets Layer) -- said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.

The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.

The goal is to make getting a certificate as easy as possible, because that's currently the hardest part of turning on TLS, Aas said. With the new CA "there will be no billing interaction, no need to create an account. You don't really need to know much at all except that you want to turn on TLS."

The software used by the CA, as well as the client applications that will help users configure TLS certificates on Web servers like Apache, Nginx and Microsoft IIS, will be open source. The CA plans to operate in a transparent manner, with the certificate issuance and revocation records available to anyone who wishes to inspect them, Aas said.

Some demo software will be made available Tuesday, so that people can start providing feedback. A draft specification for the API (application programming interface) protocol that automates certificate issuance and renewal will also be published today and soon it will be submitted to the Internet Engineering Task Force (IETF) for consideration as an open standard, according to Aas.

Let's Encrypt will go through the same audit processes as other CAs and will follow the CA/Browser Forum's baseline requirements for the issuance and management of digital certificates.

ISRG will apply to have the CA's root certificate accepted into all major root programs like the ones run by Mozilla and Microsoft, so that Web browsers and other software clients will trust certificates issued by the new CA by default. However, this process can take between one and three years, so in the meantime the Let's Encrypt root certificates will be cross-signed by IdenTrust, a company that already runs a trusted CA and is one of the project's primary sponsors, Aas said.

This will ensure that Let's Encrypt can start issuing certificates that will be trusted by most applications as soon the CA becomes operational early next summer.

Other sponsors of the project include Cisco Systems and Akamai Technologies. Some researchers from the University of Michigan are also involved. Aas expects that more people and organizations will offer their support in the future.

"Over time, we're going to measure our success by two things: the spread of TLS usage and a shift in users' attitude about encryption," Aas said. "We'd like to get to a point where users expect and demand that all websites they visit are encrypted, not just their banks."

This is part of a larger effort to encrypt all forms of online communications that security and privacy experts have called for following revelations of bulk Internet surveillance by intelligence agencies like the U.S. National Security Agency or the U.K.'s Government Communications Headquarters.

The IETF has already started work on developing TLS deployment guidelines for various communication protocols. Cryptography and security expert Bruce Schneier, who had access to the cache of secret documents leaked by former NSA contractor Edward Snowden, said last year that the goal of the technical community should be to make eavesdropping expensive through the widespread use of encryption, which would force the NSA to abandon the wholesale collection of data in favor of targeted collection.

This year Google modified its search ranking algorithms to favor HTTPS (HTTP Secure) websites in a move aimed at encouraging webmasters to implement TLS encryption on their sites.

The growing adoption of TLS might create an incentive for attackers to increasingly target the private keys associated with digital certificates. However, this is a larger issue that will require work from the whole industry to combat, Aas said.

There are plans for Let's Encrypt to join the CA/B Forum, an association of browser vendors and certificate authorities that develops guidelines and best practices for the issuance, revocation and management of TLS and code signing certificates.