Why EFF’s “Let’s Encrypt” Initiative Is More Important Than It Seems
Late 2014, the Electronic Frontier Foundation announced a small software utility called “Let’s Encrypt”, aimed at website administrators. It reduces the time and skill required to encrypt a website from three hours and much Googling to twenty seconds and one command. That initiative is more important than just being another random utility.
In the closing days of 2014, it became known what the NSA and their ilk can and cannot wiretap. To cut a long story short, the technologies that are impossible to wiretap are also the technologies that are practically impossible to use. TOR, OTP, ZRTP. The most user-friendly technologies that stick out are Tails and the Signal/Redphone/TextSecure suite, and even they are nerdcore-only software at present.
In 2010, the Tor Project and the Electronic Frontier Foundation developed something called “HTTPS Everywhere”. It was a simple browser plugin that would automatically choose an encrypted version of websites, if available. If you installed this plugin into your browser, your communications were all of a sudden much more secure. (It remains a question why, four years later, this behavior hasn’t become the default in browsers.)
However, enabling people to use encrypted communications wasn’t enough. There must also be encrypted communications to begin with. Most people who operate small websites do not offer encrypted versions, for several reasons: it costs money to buy an encryption certificate, it takes more than an hour to set up encryption even for those skilled in how to do it (and it involves rather arcane commands in producing certificates that you need to google for every single time), and it’s a real hassle to maintain and renew.
EFF launched an initiative called “Let’s Encrypt” that is a simple server-side utility that reduces all that hassle to ten to twenty seconds of work, just once. Instead of an hour-plus of procedures, it would just be
admin@webserver:~$ lets-encrypt www.myweb.com
…and the utility would not just generate and install a certificate, without hassle with credit cards and callbacks, but also automatically renew it when needed. On the back end, the Let’s Encrypt utility also contains a full certificate authority.
This is exactly right. It’s more than this utility that’s needed – it’s this attitude that’s needed, for much more than just secure web browsing.
Security is hard.
Good security needs to not be hard.
Essentially, strong security has been a holdout for the technically proficient, as observed above with regard to which cryptographic solutions are actually unbroken (those that are hard to use). We need many more initiatives to bring strong crypto to the masses, and we need to realize that even the system administrators are finding good crypto just too cumbersome to deal with.
That needs to change.
The pain points of using strong crypto need to go away. All of them, and for everybody involved. Kudos to the EFF for getting that ball rolling.
Privacy remains your own responsibility.