Here’s some great news for all of us who care about the security of the internet: We are one step closer today to having an encrypted web.
As many of us are aware, most of the webpages on the internet are served using something called HTTP (HyperText Transfer Protocol).
HTTP works very well, but is also inherently insecure – opening up opportunities for criminals, companies and governments to spy on what we’re doing, hijack accounts and steal information, inject malicious scripts into webpages and even censor access to sites.
HTTPS (Hypertext Transfer Protocol Secure) secured via TLS (Transport Layer Security, sorry about all the acronyms…) is better for security, protecting users’ personal information as it is transmitted between the user and the site, but can be a hassle to set up and can cost website owners money.
Years ago you were only likely to see online banks using HTTPS but over time just about everywhere you made purchases online realised it was reckless to request users enter their credit card details over an unencrypted connection, and later other services such as webmail providers and search engines realised it was a necessity too.
Now all manner of sites are beginning to adopt HTTPS, even in cases where you were unlikely to be typing anything sensitive.
For instance, this very site, https://grahamcluley.com, uses HTTPS on every single page, not because you are likely to ever buy anything from me, but principally because security and privacy should be the standard, not the exception.
Last November, the EFF along with Mozilla and Cisco announced the “Let’s Encrypt” project, with the aim of bringing free HTTPS encryption to all websites.
And now Let’s Encrypt has announced that all major web browsers are trusting its free security certificates.
As previously you would have been required to specially configure your computer to prevent it from displaying a warning message when visiting a site using a Let’s Encrypt certificate this is an important milestone.
Well done to Let’s Encrypt for its progress so far.
Let’s Encrypt plans to start issuing free certificates next month.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “One step closer to an encrypted web. Next stop: HTTPS for everyone”
Great…it's unquestionably a big step in the right direction. Perhaps they'll take it a step further and figure out a way to make it easy for the broad masses to use X.509 digital signing certs (PKCS) so everyone will start using secure (encrypted) email.
Of course, that's already available. Comodo provides free X.509 certs now, and they're even easier to get than the old Thawte Freemail certs (now extinct) were, or the StartSSL certs still are.
But the availability of free certs isn't the problem where email is concerned. There, the BIG problem is getting people to even understand the importance of encrypted messaging, and getting them to want to use it. It's a subject wherein ignorance is epidemic.
I second this.
Having said that, buying a cert these days is relatively cheap (I pay $9 AUD IIRC) and beats fluffing around with self-signed certs…
Initiatives like this are great! But what exactly is the difference to startssl.com, who have been giving out free certificates (accepted by all browsers) for about 10 years now?
Comodo certs appear to be limited to 90 days and one per domain.
StartSSL certs are valid for a year, but limited to the domain itself. i.e. no subdomains. I think there are also limitations with shared IP addresses.
Cacert.com doesn't have the certs in all major browsers.
So if these guys can circumvent all those limitations, then I'm all for it. I applied for mine in the beta program a week or two back and am still waiting.
CAcert seemed like a good idea when I first found them (10 years ago), but they just can't seem to get their root certificate validated by Mozilla (and probably others). That makes their certs useless in SeaMonkey, Firefox, and Thunderbird unless you go into the Certificate Manager and manually trust their certs. That's a nuisance for most users. I mostly use StartSSL certs these days.