In an effort to reinvent and dramatically improve Internet security, researchers at the University of Michigan have joined with Mozilla and other industry and non-profit partners to soon offer free, automated, and open website HTTPS encryption.
They’re establishing a new certificate authority called Let’s Encrypt, which will begin operating in summer 2015. Certificate authorities are organizations that ensure the identities of websites. A certified site is then protected from a host of potential cyberattacks. You can tell you’re on one if the web address begins with HTTPS, rather than the more common HTTP.
“Anything you do on the web is visible to network-based attackers if you’re using regular HTTP,” said J. Alex Halderman, assistant professor of computer science and engineering at U-M who initiated the Let’s Encrypt project two years ago.
“Attackers can potentially spy on everything you’re accessing, modify what you see, alter programs you download to make them malicious, or take over the website account you’re logged in under. But HTTPS is a fundamental protection against these attacks, and what we’re doing with Let’s Encrypt is trying to make HTTPS ubiquitous.”
The HTTP protocol is the default for a majority of sites world wide, but it doesn’t protect against threats such as surveillance, phishing or identity theft. HTTPS is a secure cryptographic version of the protocol that can address many of these issues if it’s deployed correctly. Historically, it has been cumbersome and costly for website operators to implement and maintain, however. That has limited its potential impact.
Let’s Encrypt aims to change that by offering free server certificates supported by sophisticated new security protocols, researchers say. Software will automate the process of obtaining, managing, and renewing the certificates.
To operate Let’s Encrypt, Halderman and U-M doctoral student James Kasten formed a collaboration with Mozilla, Cisco, Akamai, the Electronic Frontier Foundation (EFF) and Identrust. Together they have started a foundation called the Internet Security Research Group that will oversee the new certificate authority.
EFF has been campaigning for several years to spread HTTPS from payment pages and banking sites to email, social networking, and other types of sites. But there are still hundreds of millions of domains that lack this protection.
“This project should boost everyday data protection for almost everyone who uses the Internet,” said EFF Technology Projects Director Peter Eckersley. “Right now when you use the Web, many of your communications—your user names, passwords, and browsing histories—are vulnerable to hackers and others. By making it easy, fast, and free for websites to install encryption for their users, we will all be safer online.”