November 19, 2014
In an effort to reinvent and dramatically improve Internet security, U-M researchers have joined with Mozilla and other industry and nonprofit partners to soon offer free, automated and open website HTTPS encryption.
They're establishing a new certificate authority called Let's Encrypt, which will begin operating in summer 2015.
Certificate authorities are organizations that ensure the identities of websites. A certified site is then protected from a host of potential cyber attacks. Users can tell they're on one if the Web address begins with HTTPS, rather than the more common HTTP.
"Anything you do on the Web is visible to network-based attackers if you're using regular HTTP," said J. Alex Halderman, assistant professor of computer science and engineering who initiated the Let's Encrypt project two years ago.
"Attackers can potentially spy on everything you're accessing, modify what you see, alter programs you download to make them malicious, or take over the website account you're logged in under. But HTTPS is a fundamental protection against these attacks, and what we're doing with Let's Encrypt is trying to make HTTPS ubiquitous."
The secure, cryptographic protocol HTTPS can protect against threats such as surveillance, phishing and identity theft if it's deployed correctly. Historically, it has been cumbersome and costly for website operators to implement and maintain, however. That has limited its potential impact.
Let's Encrypt aims to change that by offering free server certificates supported by sophisticated new security protocols. Software from Let’s Encrypt will automate the process of obtaining, managing and renewing the certificates.
To operate Let's Encrypt, Halderman and doctoral student James Kasten collaborated with Mozilla, Cisco, Akamai, the Electronic Frontier Foundation (EFF) and Identrust. Together, they have started a foundation called the Internet Security Research Group that will oversee the new certificate authority.
EFF has been campaigning for several years to spread HTTPS from payment pages and banking sites to email, social networking and other types of sites. But there are still hundreds of millions of domains that lack this protection, EFF said in a statement.
"This project should boost everyday data protection for almost everyone who uses the Internet," said Peter Eckersley, EFF technology projects director.
"Right now when you use the Web, many of your communications — your user names, passwords and browsing histories — are vulnerable to hackers and others. By making it easy, fast and free for websites to install encryption for their users, we will all be safer online."