I started to write a draft of an article about Let’s Encrypt back in November, but quite finished it to my satisfaction. In any case I would like to draw attention to the project as it gets closer to becoming live. They just posted the draft of their certificate management policy so things are starting to heat up a bit which is kind of exciting!
If you’re not familiar with the project, here’s an overview of how it works. But basically it’s an automated tool that web server administrators can install and use to generate, sign, manage, and revoke TLS certificates for sites they host. It takes most of the human factor out of things and also helps implement some of the more esoteric features of modern TLS for HTTP.
In light of the news over the past couple of years and the complete ubiquity of the Internet and WWW at this point it’s fairly obvious that proper encryption of All The Things is long overdue. There are a number of steps in that direction taking place right now (HTTP/2 standard is more or less final, 1024-bit roots have been widely superseded, OCSP stapling and HSTS are becoming much more widely deployed), but the biggest challenge I see is that, particularly for small website owners and businesses, properly implementing X.509 certificates for TLS is still enough of a pain that it’s largely avoided unless you’re somewhat savvy or paranoid.
I’ve read a few good blog posts and articles on the Let’s Encrypt project but for some reason it doesn’t seem to be getting that much mainstream coverage. At first I was a bit leery of the idea that I hand certificate management over to a 3rd party system, but the more I’ve looked at it the more the idea seems solid. Basically their assumption is that their tooling can handle certificate management better than the average web administrator can. Combined with the fact that the project has major backing from folks like Cisco, Akamai, the EFF, and Mozilla I’m hoping that it gets major traction. I know that I’m planning on adopting it early even though I have a couple of years left on the RapidSSL certs I’m currently using.
Oh and did I mention that it will be entirely free?