U. Michigan fronts effort to push HTTPS net security
University of Michigan researchers have formed a partnership with Mozilla, Cisco Systems, Akamai and several other Internet services firms to offer free, automated, open and “ubiquitous” website HTTPS Transport Layer Security (TLS) encryption.
The group, which also includes IdenTrust Inc. and the Electronic Frontier Foundation, is setting up a new certificate authority called Let’s Encrypt that will launch in summer 2015, part of an effort to “reinvent and dramatically improve Internet security,” according to a report by the UM’s Michigan News.
The security of HTTPS is supported by underlying TLS, which uses secret keys to encrypt data flow between client and server.
"Anything you do on the web is visible to network-based attackers if you're using regular HTTP," said J. Alex Halderman, assistant professor of computer science and engineering, who started the Let's Encrypt.
“But HTTPS is a fundamental protection against these attacks, and what we're doing with Let's Encrypt is trying to make HTTPS ubiquitous."
HTTPS can help protect against surveillance, phishing and identity theft, but the protocol has been costly to implement. Let’s Encrypt is designed to overcome that hurdle by offering free secure server certificates and automating the process of obtaining and managing the certificates, according to the UM report.
"This project should boost everyday data protection for almost everyone who uses the Internet," said Peter Eckersley, technology projects director with the Electronic Frontier Foundation.
To operate Let's Encrypt, the firms and UM researchers Halderman and doctoral student James Kasten have formed the Internet Security Research Group (ISRG), a foundation called that will manage the new certificate authority.
Let’s Encrypt will involve a number of new technologies, such as an automated certificate management protocol ISRG is developing called ACME, that automates the management of domain-validation certificates that will support for new and stronger forms of validation.
A draft protocol specification and prototype implementations are available on Github.
Connect with the GCN staff on Twitter @GCNtech.