The EFF to launch "Let's Encrypt" Certificate Authority

[b]Launching in 2015: A Certificate Authority to Encrypt the Entire Web[/b]

Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.


Continue reading…

So this seems to be a future Certificate Authority that will issue free certificates in an easy manner, now what I would want to discuss is how this will affect Comodo, if I remember correctly, CIS is free largely because of Comodos income from being a Certificate Authority and selling certificates, Could “Let’s Encrypt” potentially threaten that income and by extension would that result in CIS no longer being free?

Personally I’m in favor of a free an easy way to get a certificate, but at the same time the main reason I’m using CIS for is because it’s free, I don’t know if I would stick by it if it became a paid product, but that’s just me.

What do you people think?

And Melih, do you see this as a potential threat to your income from being a CA and if so do you think it would potentially mean CIS would transfer into being a paid product only? Also do you think this is a positive development in order to create better security on the internet?

Let’s encrypt is definitely interesting. Of course any CA is a competitor to all other CAs. But CAs offer different products at different prices for different customers.

We will use a protocol we’re developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.
Better than plain old DV, but still DV, and you can already get a DV-certificate for free. Today’s free and low-cost DV-certificates will be challenged by Let’s encrypt’s free certificates with “stronger forms of domain validation”.

Customers who need organization or extended validation will still pay for that service.

For example, a bank using a DV-certificate, even with certificate transparency, would not feel quite right.