The process of obtaining SSL/TLS certificates is cumbersome enough to convince many domain owners that it isn't worth the trouble, but a new certificate authority (CA) seeks to change that and make it free of cost -- making the process so quick and easy that every site will be convinced to shift from "http" to "https."
The new CA, a nonprofit called Let's Encrypt, was announced yesterday by the Electronic Frontier Foundation (EFF), with plans to begin issuing free domain verification certificates as soon as June 2015. The CA is a collaborative effort of researchers and developers at the EFF, Mozilla, and the University of Michigan, with support from Cisco, Akamai, and Identrust.
Back in 2012, Josh Aas and Eric Rescorla, co-workers at Mozilla, were discussing ideas for widely increasing the use of SSL/TLS online. "Everything was really hard," says Aas, "unless you owned the CA."
They brought their idea for a new CA to their employers at Mozilla, who agreed to support them as their first major sponsor. In 2013, they created the Internet Security Research Group (ISRG), which will operate the new CA. Aas is currently its executive director. They then learned that the EFF was working on similar plans and decided to team up.
The usual process for obtaining an SSL or TLS cert takes between one and three hours, according to the EFF. Let's Encrypt reduces this time to 20-30 seconds. You don't even need to visit the Let's Encrypt website to get it.
Such speed requires a high degree of automation, so the researchers created ACME, a new protocol for obtaining and managing certificates. However, that automation limits what sort of verification they can do. So Let's Encrypt will only be able to issue domain validation certs -- you'll have to go elsewhere for extended validation.
At the moment, Let's Encrypt does not have a root certificate developed or accepted by browsers. This process could take years. In the meantime, another CA, IdenTrust, has agreed to vouch for Let's Encrypt by cross-signing its root, thereby allowing people to obtain Let's Encrypt certs.
Aas says Let's Encrypt intends to start issuing certs in June 2015. "We also want more transparency about what certs are issued." Certificates can be issued with greater confidence when a CA can see what certs have been issued by other authorities. The EFF's Decentralized SSL Observatory, the University of Michigan's scans.io, and Google's Certificate Transparency logs are examples of these public cert databases, and the ISRG intends to follow suit. "We're committed to publishing every cert we issue."