The padlock icon is our friend. We’ve all been trained to look for it in the address bar of our browser, especially when we’re shopping online, logging into our webmail, or accessing sensitive information from our bank. But shouldn’t secure browsing be the rule, rather than the exception? A project called Let’s Encrypt wants to encourage just that, starting in mid-2015.
Now, most popular websites do use secure hosting, in the form of HTTPS—that’s a version of the web’s underlying HTTP protocol that also incorporates the Secure Sockets Layer (SSL) encryption technology, or its successor Transport Layer Security (TLS). Google enabled HTTPS by default back in 2011; Yahoo made it the default for its mail service in January of this year; and Twitter has been using secure connections as far back as 2012. Yet according to the most recent numbers from the Trustworthy Internet Movement, only 24 percent of 151,000 popular websites should considered secure based on their implementation of SSL/TLS.
Here’s the thing: setting up a secure website is a pain. Even for the technically minded folks who don’t mind getting hip-deep into arcane command line tools, configuring and enabling the features that ensure encrypted communication is a complicated process that involves requesting cryptographic certificates, installing them, and making sure that they remain current. Those certificates have to be backed by a certificate authority (CA), which provides a chain of trust—essentially proving that a site is who it purports to be. And CAs generally charge for that service. More than a little. So for a lot of website administrators don’t bother setting up a secure site if it’s not absolutely necessary, such as for ecommerce.
Let’s Encrypt—which was created by the non-profit Internet Security Research Group and is sponsored by heavy hitters like Mozilla, the Electronic Frontier Foundation, Akamai, and Cisco—wants to bulldoze those roadblocks. First, by reducing setup to a single command-line tool that takes care of all the necessary “paperwork” of authenticating your site with Let’s Encrypt, which is itself a certificate authority, and getting and setting up your certificate. Second, by making the certificate process free, thanks to the support of those aforementioned groups. With those two obstacles removed, Let’s Encrypt hopes to vastly increase the number of websites that enable secure traffic on their servers.
Even that may only be a partial solution though. SSL itself isn’t perfect: earlier this year, security experts uncovered a flaw dubbed the Heartbleed bug, which affected all systems using the very popular OpenSSL software. A vulnerability found more recently, known as POODLE, also affected older—but still widely used—versions of SSL/TLS. And, of course, even the best encryption can be subverted by non-technical means.
But even in spite of those vulnerabilities, encrypted traffic is still superior to unencrypted traffic. The Internet Engineering Task Force working group responsible for the HTTP 2.0 specification proposed in 2013 that encrypted traffic be the default for the new standard, but it appears an unencrypted option will still be offered.
If Let’s Encrypt can make some headway when it launches next year, it could lead to a more secure web browsing experience for everybody. And maybe, just maybe, when secure web traffic is the de facto standard, that little padlock icon can finally be retired.