Why We Should Be Supporting Let’s Encrypt

In this post-Snowden world, two words that have seeped into the public consciousness are encryption and surveillance. I wrote about James Bridle’s interesting surveillance project just a couple of days ago so now let’s take a quick look at encryption.

As you’ve probably heard, there’s currently a fight brewing between the big tech companies who are starting to issue hardware which contains higher levels of encryption by default and the national intelligence services  Even if you somehow agreed with the FBI’s assessment that the recent decision by both Apple and Google to encrypt phone data by default sets a dangerous precedent, few would agree that what appears to be a concerted effort by the security services to apply pressure on the tech giants overreached the mark when the Deputy Attorney General recently told a room full of Apple excutives last month that the new iOS encryption would cause a child to die…

The point is that encryption of data is in general a hugely positive development for us all. Anything that reduces the potential number of attack vectors that others can use to hack in and steal your personal information as it get exchanged online has to be valuable. Of course, the intelligence services can still effectively access our data as required but making it harder for those others with malicious intent is crucial.

Along these lines, the creation of a new certificate authority has just been announced that will go live in 2015 called Let’s Encrypt. It’s being developed by a consortium of organisations (including Mozilla, Ciscoa and the Electronic Frontier Foundation plus researchers at the University of Michigan amongst others). The goal of the project (announced in various places, including here and here) is to provide a simple way for every website to move from HTTP to HTTPS.

No-one’s claiming that HTTPS is the answer to all issues (it’s only been a few months since Heartbleed after all). But the point is that by using it, you can be far more comfortable that the information that you’re exchanging whilst visiting a website is actually going where you expect it to and it’s far less likely to be stolen or changed maliciously en route.

Some companies such as Google already use HTTPS by default and the company has also indicated that will use the existence of a site’s HTTPS as a positive search ranking factor. Cue the stampede towards general adoption as part of the ongoing battle for Page 1 search ranking visibility.

But historically the problem has always been that it’s far more effort to set up HTTPS on a website – it costs more and it’s easy for people to make mistakes setting it up. The initiative by Let’s Encrypt will basically let people deploy HTTPS with one click. That has to be valuable.

If you have responsibility for a website, it’s definitely one to watch out for over the next few months.