Developers Club geek daily blog

1 year, 5 months ago
Let&39;s Encrypt

Let's Encrypt — it is the non-commercial initiative providing the free, automated and open CA (certificate authority — certificate authority) created ISRGby for the benefit of society:

  • free of charge: the owner of any domain name can use Let's Encrypt and receive entrusted (to read as "is recognized as any modern browser") the TLS certificate (TLS — the successor of SSL) absolutely free of charge;
  • it is automated: Let's Encrypt provides free and the free software (client) which, being configured on the Web server, can request completely automatically non-paid provided certificates of Let's Encrypt, automatically configure and update them;
  • safely: Let’s Encrypt is under construction as a platform for promotion the best practician of safety of TLSof both on the party of certificate authority (CA), and on the party of websites, helping administrators to configure Web servers properly;
  • it is transparent: information on release and a withdrawal of each certificate of Let's Encrypt is available quite and publicly so that anyone to study it will be able to make it;
  • freely: the protocols of interaction from CA allowing to automate processes of release and updating of certificates will be published as the open standard for the maximum implementation;
  • kooperativno: as well as any protocol which is the cornerstone of the Internet and the World Wide Web of Let's Encrypt is joint, uncontrollable any specific organization by the non-commercial project created bringing benefit to society.

Let’s Encrypt leaves in open beta testing today, on December 3, 2015. The public beta means that all Let's Encrypt systems become available to everyone who would like to receive the certificate. It is not necessary to be registered for waiting of an invayt any more.

The closed beta testing of Let's Encrypt began on September 12, 2015, and more than 11 thousand certificates were issued since then, and this experience gave to Let's Encrypt confidence that all systems are quite ready for a public beta.

For the World Wide Web at last time to make a big step forward towards a bezopanost, confidentiality and enciphering came. Let's Encrypt was created to make HTTPS the standard by default, and for implementation of this purpose work of new CA provides the maximum simplification of processes of obtaining, updating, a response and management of certificates.

Let's Encrypt still have a lot of work before the mark "beta" can be reset finally, in particular — in the field of process of work of users: it is relied on automation, and many efforts to ensuring perfect work of the client on a wide range of platforms will be therefore spent for what Let's Encrypt will fixedly monitor the user feedback, to study them and to make necessary improvements in work as soon as possible.

Let’s Encrypt depends on support of a wide variety of the organizations and specific people. Please, consider the possibility of participation and if your company or the organization wishes to help, then you can write here.
Let's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of chargeLet's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of charge

Why lifetime of certificates makes only 90 days?


This question was brought up repeatedly: yes, Let's Encrypt issues certificates which lifetime makes 90 days; the people asking this question are usually convinced that 90 days are too little and that would be quite good if Let's Encrypt were issued the certificates living year or it is even more as it is done by some other CA.

90-day certificates — at all not news to the World Wide Web. According to telemetry of Firefox, 29% of all TLS transactions use 90-day certificates, and any other lifetime does not make a big share of transactions. The point of view of Let's Encrypt consists that short lifetimes of certificates have two main, primary advantages:

  1. restriction of damage from komprometirovanny keys and incorrectly issued certificates as those are used on a smaller period;
  2. short-lived certificates support and encourage automation which is absolutely necessary for usability of HTTPS. If we are going to migrate all World Wide Web on HTTPS, then at all it is impossible to expect manual updating of certificates from the administrator of each existing website. As soon as release and updates of certificates becomes completely automated, shorter lifetimes of certificates on the contrary will become more convenient and practical.

For these reasons of Let's Encrypt does not offer certificates with big lifetimes, but as it is also quite clear that the Let's Encrypt service is still young and that automatic control of certificates is a new experience overwhelming part of subscribers, 90-day lifetime was selected as still delivering a time interval, sufficient for comfortable manual updating (Let's Encrypt recommends to the subscribers to update the certificates each 60 days) if it for any reason is necessary. Nevertheless, however, as soon as the software of automatic updating of certificates will be in large quantities implemented and will show the reliability and stability, Let's Encrypt is going to lower the maximum lifetime even more.

This article is a translation of the original post at habrahabr.ru/post/272253/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus