Let's Encrypt and the Snowden Effect
One of the most spectacular examples of the Snowden Effect on tech has been the skyrocketing use of HTTPS encryption on the web. Think about it: as the web has become an integral part of all of our lives, its baseline privacy and security stands to have an enormous impact on our own.
In helping to improve the security of our technological infrastructure, Edward Snowden performed a valuable public service, which should be recognized. Urge President Obama to exercise his power of pardon today.
In the world of HTTPS encryption, no development has been more remarkable than the creation and adoption of the Let's Encrypt certificate authority. By some measures, it has gone from an idea to the largest cerificate authority on the web in an astonishingly short time. We sat down with Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation and one of the central players in the founding of Let's Encrypt, to talk about Snowden's influence and its impact on web security.
Can you describe what Let's Encrypt is, and how it's making the Internet safer for people to use?
Eckersley: We've known for a long time that we need to replace the HTTP protocol, which is hopelessly and irredeemably insecure, with HTTPS, which is considerably better. But that was difficult, because HTTPS requires certificates for authentication, and websites had to pay money and deal with a lot of bureaucracy to get those certificates. Let's Encrypt issues the certificates for free, using automated mechanisms, so it allows every website to use secure and encrypted HTTPS with zero expense and minimal difficulty.
The earliest work on Let's Encrypt started before the Snowden disclosures, but obviously its mission got more attention as people began to focus more attention on security and privacy. What kind of influence did Snowden's disclosures have on the project?
At first, Snowden's disclosures somewhat discouraged our efforts on HTTPS deployment, because they revealed that intelligence agencies had subverted the encryption from a number of directions: by placing wiretaps inside the networks of companies like Google, in places where the HTTPS protection was absent; by compelling or convincing companies to turn over data; and by breaking some of the encryption (though we weren't really confident of that until the LOGJAM research came along).
But we gradually realised that if tech comanies took extra steps, then HTTPS could work as a protection against dragnet surveillance, even by formidable actors like GCHQ and NSA. And it if of course enormously important from protecting people against other governments, ISPs and hackers around the world that try to eavesdrop on their traffic or hijack their accounts.
In talking with people about Let's Encrypt before and since its launch, do you think their perception of security and privacy has been influenced by the coverage of Snowden stories and other privacy news?
We certainly noticed that Let's Encrypt and other related efforts (such as our promotion of STARTTLS encryption for email servers) got much more traction in the wake of Snowden's leaks. By motivating companies to lift their game, he's probably been-single handedly responsible for 10% of the Internet being encrypted.
By some measures, Let's Encrypt has already become the largest CA on the web. Has that exceeded your expectations? What's next for it?
We were fairly confident Let's Encrypt would be important, and had a good chance of becoming an essential part of the Internet's infrastructure. But you never quite believe that until you see it happen, and it's happened faster than we expected.