Linux Foundation to Host Let’s Encrypt, Project to Bring Free SSL Certs to Websites

An Internet where most websites use security certificates and encrypt data by default is no longer just a dream. A consortium of Internet and technology companies and organizations are banding together to make it easier for website owners to obtain and setup security certificates.

The Let’s Encrypt project is a free and automated security certificate authority which will simplify the process of obtaining a security certificate for websites, the Linux Foundation and the Internet Security Research Group said Thursday. It’s increasingly clear the only way to have reliable security online is to have every website be encrypted, served over Transport Layer Security (TLS), so that people’s information is protected from snoops, the Linux Foundation said. The goal is to make it easier for website owners to apply for and install a security certificate on their domains.

“Encryption should be the default for the web,” Josh Aas, executive director of ISRG, told SecurityWeek. Let’s Encrypt will help “increase TLS usage on the Web,” he said.

Data such as login credentials, financial information, browser cookies, and other types of sensitive or personal information travel from user computers to websites, or across multiple websites. All this information can easily be intercepted by eavesdroppers, but not if the Web application encrypts the information before sending it through the network. “A secure Internet benefits everyone,” Jim Zemlin, executive director at The Linux Foundation, told SecurityWeek.

Let’s Encrypt takes the world a step closer to a time when more websites would use a certificate and TLS would be the default across the Web, rather than the present where most sites do not even have a valid certificate, Aas said. The free and simple process should take no longer than a few minutes to complete.

Currently, it is difficult for website owners to obtain the certificate because the process may be too complicated or too expensive. Owners may also be overwhelmed with different types and not know which one to pick, Aas said. Let’s Encrypt automates the process so that certificates are issued automatically. Let’s Encrypt will also manage the certificate, so that if the certificate is nearing its expiration date, the system will handle renewals. There was no reason renewing a certificate had to remain a manual process. Let’s Encrypt will also handle installation and configuration on supported servers, which will likely handle most major server software, so that there will be no misconfigured certificates deployed on servers, Aas said.

Let’s Encrypt will be issuing Domain Validation certificates since this type of certificate can be automatically issued and managed, Aas said. Other types of certificates cannot be issued or managed automatically. Let’s Encrypt will also be focusing on elliptic curve cryptography—ECC—because it is the most effective at protecting online users today, he said.

Let’s Encrypt will be working closely with major hosting providers to offer TLS to all customers, following a model similar to what CloudFlare currently does for its customers, Aas said. Any CloudFlare customer has access to SSL certificates for their domains, for free. Let’s Encrypt will not be working directly with website owners, but act as the back-end for hosting providers interested in offering free DV certificates to their customers, Aas said. While individual will be able to get a certificate directly from Let’s Encrypt, the bulk of certificates will likely be issued through a major hosting provider.

“While the web has been a part of our lives for decades now, the data shared across networks is still at risk,” Zemlin said in a statement.

The Linux Foundation will host the Internet Security Research Group and Let’s Encrypt as a Linux Foundation Collaborative Project, which are independently funded software projects working on innovative programs which will have wide-ranging benefits and impact across industries, Zemlin said. The sponsor companies include Akamai, Cisco, Electronic Frontier Foundation, and Mozilla as founding Platinum members, IndenTrust as a Gold member, and Automattic (maker of WordPress) as the Silver member.

“By hosting this important encryption project in a neutral forum we can accelerate the work towards a free, automated and easy security certification process that benefits millions of people around the world,” Zemlin said in a statement.

Hosting in this context means the Linux Foundation will take on much of the business aspects of running Let’s Encrypt. The Linux Foundation provides the essential collaborative and organizational framework for projects, such as making sure there is money in the bank, hiring and providing benefits to employees, and even setting up a secure data center, so that members of the project can focus on actually building, Zemlin said.

“The Linux Foundation is in the business of supporting brilliant people working on innovative projects,” Zemlin said, noting hundreds of millions of dollars have been invested across various Collaborative Projects.

In this case, ISRG already has made its own arrangements for Let’s Encrypt infrastructure, Aas said, but was careful to note that ISRG is not dismissing the possibility of someday moving to Linux Foundation’s infrastructure.

“We want to build. We don’t want to have to worry about accounting, who is getting paid. I am not good at any of that, but Linux Foundation is,” Aas said, explaining why the relationship works for ISRG.

Let’s Encrypt is not trying to replace traditional certificate authorities. While the project will focus its efforts on getting free certificates out to website owners in a secure and open way, Aas sees the project as something working alongside CAs to get to a world where everyone is using encryption by default.

“The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything, Aas in a statement.

Related: Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy

There are lots of steps you can take to safeguard yourself on the web. Yet not every person takes enough time to do this. Some only leave everything to fate. What about you? Do you just take additional steps to safeguard your self online?there are many steps you can take to protect yourself on the web. Probably the most apparent means is to install anti-virus and anti-spyware software. It’s not that high priced and may be installed fairly easily. You can install a firewall as another type of protection. It works as a filter to keep undesired information away. Using an anti-spam email supplier can help you stay away from many undesired junk e-mail email messages from coming your path. These are merely several fast options, but they’re choices that folks who will be worried about their privacy typically exercise without question.

It is this a problem of yours? Not everyone feels the worry of their private information becoming stolen on line. They could be very trusting and merely assume it’s going to be fine so long as they don’t do just about anything to create regarding the undesirable interest.

Exactly what camp do you really belong to? Can you simply take additional measures to protect yourself on the web or would you keep it to fate and assume it’s all likely to be fine?

Note: there was a poll embedded inside this post, kindly look at the website to be involved in this post’s poll.

Image Credit: Wikimedia Commons

AT&T is advising customers that a rogue employee illegally accessed their personal information.

In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.

According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.

It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.

“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.

“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.

AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.

Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.

“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”

“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”