Electrical Engineering and Computer Science

With Over 7 Million Certificates Issued, Let's Encrypt Aims to Secure the Entire Web

  Bookmark and Share

Prof. J. Alex Halderman

Prof. J. Alex Halderman is on a mission to secure every website on the Internet. That's because HTTP, the long-established protocol that provides the technical foundation of the web, is inherently insecure.

According to Prof. Halderman, "Anything you access over HTTP travels over the Internet completely unencrypted and unsecured. An attacker can read it, change it, or lie about who's on the other side of the connection." This exposes web users to threats that range from surveillance to phishing and identity theft.

HTTPS, an encrypted and authenticated version of HTTP commonly associated with a green lock icon in the address bar of the browser, provides a solution to these challenges. HTTPS was first introduced in the late 1990s to enable safe online credit card transactions and more recently has been adopted by an increasing number of popular sites, including Google, Facebook, and Twitter, to protect every page load, not just passwords and financial data.

Yet adopting HTTPS has remained too complicated and expensive for the vast majority of smaller websites. "Traditionally, there there have been two roadblocks to adopting HTTPS," says Prof. Halderman. "The process is far too complicated, and you have to deal with the certificate authorities."

Certificate authorities are companies approved by the major web browsers to vouch for the identity of a secure web server, which they do by verifying that a particular cryptographic key corresponds to a given domain name. "It's what prevents an attacker from impersonating your site," explains Prof. Halderman. Working with a certificate authority, however, can be an obstacle for legitimate website owners. "You have to jump through technical hoops, prove that you are really you, and pay a large annual fee," he says. Even for an expert, the process is cumbersome. "Then, a year later – just a long enough time so that you've forgotten the details of the procedure – your certificate expires and you have to repeat the whole process from scratch."

Let's Encrypt issued its 7 millionth certificate on July 29, 2016 (click to enlarge)

In order to bring HTTPS to everyone, Prof. Halderman joined forces in 2012 with colleagues at Mozilla and the Electronic Frontier Foundation to found Let's Encrypt, a non-profit certificate authority with the mission of making the switch to HTTPS vastly easier. Prof. Halderman and his then-student James Kasten (MS PhD CSE '12 '15) developed technology that automates the entire process, allowing a website operator to deploy HTTPS in seconds with only a single command. "We rethought HTTPS deployment from the ground up," says Prof. Halderman. "All the cost and complexity of the old certificate authorities wasn't doing anything to strengthen security." Thanks to funding support from over 35 industry sponsors, including Cisco, Akamai, and Facebook, Let’s Encrypt provides the entire service for free.

Since its public launch in December 2015, Let's Encrypt has realized its promise and is growing to have a significant impact on the security of the web. By March 2016 the service had issued one million certificates. As of July 29, 2016, it had grown to become the world's second largest certificate authority, having issued over 7 million certificates covering more than 9 million unique domains. This includes large-scale deployments from companies such as Akamai, WordPress.com, Dreamhost, and Bitly.

According to Prof. Halderman, "We started Let's Encrypt with the goal of seeing the entire web move to secure, end-to-end HTTPS cryptography, and after our first six months, we're well on our way. We're having a strongly positive impact on the rate of HTTPS adoption: More than 90% of sites that have certificates from Let's Encrypt never used HTTPS before, and the global rate of growth of HTTPS adoption has increased by almost 4 times since Let's Encrypt launched." If this trend continues, says Prof. Halderman, HTTPS will soon replace HTTP as the default protocol for the web, and "for the sake of security and privacy, that day can’t come soon enough."

Prof. J. Alex Halderman is a noted security expert with interests in the areas of Internet security and privacy, electronic voting, and censorship resistance. He received his PhD in Computer Science from Princeton in 2009 and joined the faculty at Michigan the same year. Prof. Halderman was been recognized for his efforts with a Sloan Fellowship and as one of Popular Science's Brilliant 10. At Michigan, he has been named a Morris Wellman Faculty Development Professor and has been awarded the 1938E Award in recognition of his excellence in teaching and his scholarly integrity. He serves as the director of the Center for Computer Security and Society and advises the Michigan Hackers student group on campus.

Posted: August 3, 2016