One step closer to an encrypted web. Next stop: HTTPS for everyone

PadlockHere's some great news for all of us who care about the security of the internet: We are one step closer today to having an encrypted web.

As many of us are aware, most of the webpages on the internet are served using something called HTTP (HyperText Transfer Protocol).

HTTP works very well, but is also inherently insecure - opening up opportunities for criminals, companies and governments to spy on what we're doing, hijack accounts and steal information, inject malicious scripts into webpages and even censor access to sites.

HTTPS (Hypertext Transfer Protocol Secure) secured via TLS (Transport Layer Security, sorry about all the acronyms...) is better for security, protecting users' personal information as it is transmitted between the user and the site, but can be a hassle to set up and can cost website owners money.

Lets encrypt test site

Years ago you were only likely to see online banks using HTTPS but over time just about everywhere you made purchases online realised it was reckless to request users enter their credit card details over an unencrypted connection, and later other services such as webmail providers and search engines realised it was a necessity too.

Now all manner of sites are beginning to adopt HTTPS, even in cases where you were unlikely to be typing anything sensitive.

For instance, this very site, https://www.grahamcluley.com, uses HTTPS on every single page, not because you are likely to ever buy anything from me, but principally because security and privacy should be the standard, not the exception.

Last November, the EFF along with Mozilla and Cisco announced the "Let's Encrypt" project, with the aim of bringing free HTTPS encryption to all websites.

And now Let's Encrypt has announced that all major web browsers are trusting its free security certificates.

Let's encrypt certificate information

As previously you would have been required to specially configure your computer to prevent it from displaying a warning message when visiting a site using a Let's Encrypt certificate this is an important milestone.

Well done to Let's Encrypt for its progress so far.

Let's Encrypt plans to start issuing free certificates next month.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Pete

    October 20, 2015 at 5:04 pm #

    Great…it's unquestionably a big step in the right direction. Perhaps they'll take it a step further and figure out a way to make it easy for the broad masses to use X.509 digital signing certs (PKCS) so everyone will start using secure (encrypted) email.

    Of course, that's already available. Comodo provides free X.509 certs now, and they're even easier to get than the old Thawte Freemail certs (now extinct) were, or the StartSSL certs still are.

    But the availability of free certs isn't the problem where email is concerned. There, the BIG problem is getting people to even understand the importance of encrypted messaging, and getting them to want to use it. It's a subject wherein ignorance is epidemic.

  2. Simon

    October 20, 2015 at 9:24 pm #

    I second this.

    Having said that, buying a cert these days is relatively cheap (I pay $9 AUD IIRC) and beats fluffing around with self-signed certs…

  3. Jan

    October 21, 2015 at 6:18 am #

    Initiatives like this are great! But what exactly is the difference to startssl.com, who have been giving out free certificates (accepted by all browsers) for about 10 years now?

  4. Jim

    October 21, 2015 at 7:56 am #

    Comodo certs appear to be limited to 90 days and one per domain.
    StartSSL certs are valid for a year, but limited to the domain itself. i.e. no subdomains. I think there are also limitations with shared IP addresses.
    Cacert.com doesn't have the certs in all major browsers.

    So if these guys can circumvent all those limitations, then I'm all for it. I applied for mine in the beta program a week or two back and am still waiting.

  5. Vito

    October 21, 2015 at 4:09 pm #

    CAcert seemed like a good idea when I first found them (10 years ago), but they just can't seem to get their root certificate validated by Mozilla (and probably others). That makes their certs useless in SeaMonkey, Firefox, and Thunderbird unless you go into the Certificate Manager and manually trust their certs. That's a nuisance for most users. I mostly use StartSSL certs these days.

Leave a Reply