19. Securing the Web with Let's Encrypt

Josh Aas, the co-founder of the non-profit Internet Security Research Group (ISRG), is interviewed by Craig Ingram, a Runtime Engineer at Heroku. Amongst other outreach programs, ISRG is in charge of developing Let's Encrypt, which is a Certificate Authority (CA) designed to provide free TLS/SSL certificates to any website on the web. While starting ISRG in 2013, Josh noted that only about a third of websites on the Internet were secured by HTTPS. He discovered that not only was the price of acquiring a certificate a barrier to entry, but the technical requirements to apply a certificate was also cumbersome. Let's Encrypt began as a way to simplify the application of aTLS/SSL certificate for any website. Founding a CA was no easy task. To begin with, a brand new CA is "untrusted," and it takes up to a decade for every company and Internet-ready device in the world to accept your validity. In 2015, Let's Encrypt partnered with another CA called IdenTrust by having them cross-sign certificates. This allows Let’s Encrypt to operate and provide certs while making progress towards becoming a fully independent CA. Over the years, there have been several trade-offs between Let's Encrypt original goals and features that users have requested. Although ISRG would like to limit the technical scope of what Let's Encrypt offers to keep the process simple, they have worked through feedback to ensure that they meet a majority of their users' needs. Although HTTPS certainly helps secure communication between a user and a website, there are still more layers of the Internet which require protection. One of these is called Border Gateway Protocol (BGP) hijacking. The team is working on mitigations to make these sorts of attacks impractical. Links from this episode Let's Encrypt is a free, automated, and open Certificate Authority with the goal of creating a 100% encrypted Web. The Border Gateway Protocol is, in Josh's opinion, another major component of the Internet which requires stronger security.