Your online activities are only protected from prying eyes if the sites and services you're using are encrypted -- a process noted in many browsers with a little lock icon in the URL bar. But not every Web site is encrypted.
A new project could make it easier than ever for Web site administrators to provide a basic layer of security to its visitors. Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan have formed a nonprofit organization, the Internet Security Research Group [ISRG], that will offer free, automated "security certificates" for Web sites starting next year.
A security certificate verifies the authenticity of a site offering an encrypted connection. The Web address of such sites start with “https” rather than “http” and the Internet traffic that travels through such connections can be read only by the sender and its intended recipient.
But the certificates can be cumbersome to obtain and set up. "Today, if you try to add encryption and security to a Web site, it takes many hours for even skilled administrator to figure out how to get, install and configure the correct certificate," according to EFF's Peter Eckersley. The Let's Encrypt certificate will take 20-30 seconds to install and will be free when it launches next year, he said.
ISRG aims to shift the majority of the Web's traffic to encrypted sites. Currently, only a small percentage of Web sites are encrypted by default, although years of advocacy by groups like EFF have convinced many big name sites to make the shift, says Eckersley. Developers at the New York Times recently challenged news organizations to encrypt their sites by default by the end of 2015.
EFF and University of Michigan researchers were working on an automated security certificate system when they learned of a similar project at Mozilla. They decided earlier this year to combine the projects and create the Let's Encrypt technology.
ISRG will spend the next few months making sure the security of the system is as close to "bulletproof" as possible, said Eckersley. "Certificate authorities have the entire fate of the Internet in their hands and they can't afford to make mistakes because it leaves Web sites vulnerable," he says.
In the past, fraudulent security certificates have been the been at the center of some major cybercrimes. In 2011, an Iranian hacker gained access to a company that issues security certificates and created fraudulent certificates that allowed him to impersonate Gmail, and intercept traffic of some 300,000 Iranians.
EFF has been working on efforts to expand the encryption of Web traffic for years. It developed a browser extension called HTTPS Everywhere that forces Web sites to make an encrypted connection when it's available. But that encrypted connection is only available if the Web site already has a security certificate -- the problem that Let's Encrypt is attempting to solve.
"The system of certificates that underpins the Web is a vast and often dysfunctional bureaucracy," Eckersley said.
Fixing that problem would make the Web secure for all users. "If you're looking at an unencrypted HTTP Web site, your communications are vulnerable to account hijacking, identify theft, many forms of surveillance, interference and modification of the pages you're looking at. All of these problems are widespread and happen every day. With HTTPS the barriers for those who want to spy on your browsing or mess with your traffic are much higher."