Let's Encrypt - the free, automated and open certificate authority - entered its public beta phase yesterday, meaning you don't have to wait for an invitation to get a free SSL certificate.
It started a limited beta phase in September, since when it has issued over 11,000 certificates.
Josh Aas, the executive director of the Internet Security Research Group (ISRG) which created Let's Encrypt, said in a blog post that the limited beta has given the organisation the confidence to open the service to anyone who wanted to request a certificate.
“It's time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let's Encrypt was built to enable that by making it as easy as possible to get and manage certificates,” Aas said.
“We have more work to do before we're comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We'll be monitoring feedback from users closely, and making improvements as quickly as possible,” he said.
Ivan Ristic, director of application security research at Qualys, said the launch of Let's Encrypt is very exciting. “This project will substantially increase world-wide security by enabling encryption where previously there was none. The fact that their certificates are free is reshaping the CA industry; there are already rumours that commercial CAs will follow by also offering free certificates. But although the cost is a factor, the key advances will come from automation and the fact that encryption will become embedded in the fabric of our internet infrastructure.”
Brian Spector, CEO of Miracl, said Let's Encrypt is a step in the right direction if it helps to break the closed shop which currently exists with just five American companies issuing nearly 95 percent of all certificates.
But he cautions that it doesn't go far enough because, he argues, public key infrastructure (PKI) is an inherently flawed system which puts too much control in the hands of a few operators. “Any entity that controls the root key used by these commercial certificate authorities wields a tremendous amount of power, as we have seen when Google caught Symantec issuing legitimate google.com certificates in an unauthorised way a few weeks ago,” he said.
And the Iranian government allegedly issued certificates through a Dutch company called Diginotar which were used to perform man-in-the-middle attacks against pro-democracy activists.
He warns that Let's Encrypt is an American-controlled organisation subject to pressure from Federal agencies, and it doesn't solve the problem of the centralisation of so much sensitive data which, he asserted, makes it an attractive target for hackers.