Let's Encrypt

from Wikipedia, the free encyclopedia
Let's Encrypt
founding 2014
founder EFF , Mozilla , UM
Seat San Francisco
motto encrypt the entire web
main emphasis X.509 - CA.
Action space worldwide
owner Internet Security Research Group
sales $ 3,600,000 (2019)
Employees 10 (2017)
Website letsencrypt.org

Let's encrypt (German "Let's encrypt") is a certification body that has gone into operation in late 2015 and free X.509 - certificates for Transport Layer Security offers (TLS). An automated process replaces the previously common complex manual processes for creating, validating, signing, setting up and renewing certificates for encrypted websites.

overview

The aim of the project is to make encrypted connections on the World Wide Web the norm. By making payments, web server configuration , validation emails and worrying about expired certificates superfluous, the effort involved in setting up and maintaining TLS encryption should be significantly reduced. On a Linux web server, executing only two commands should be enough to set up HTTPS encryption, request and install certificates within 20 to 30 seconds .

In the current efforts of large web browser projects to declare unencrypted HTTP as outdated and to warn against it or to limit support in the future, the availability of Let's Encrypt is among other things relied on. The project is said to have the potential to achieve standard encryption of the entire web.

So-called domain validation certificates are issued. Organization Validation and Extended Validation Certificates are not offered.

In order to increase one's own trustworthiness as well as to protect against attacks and attempts at manipulation, the greatest possible transparency should be set. For this purpose, for example, transparency reports are published regularly, all issuance transactions are publicly logged (e.g. with Certificate Transparency ) and as much as possible relies on open standards and free software .

The project received the FSF Award 2019.

Involved

Let's Encrypt is a service offered by the non-profit Internet Security Research Group (ISRG). Main sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation , Akamai , Google Chrome and Cisco Systems . Other participants are the IdenTrust certification body , the University of Michigan (UM), Stanford Law School , the Linux Foundation , Stephen Kent from Raytheon / BBN Technologies and Alex Polvi from CoreOS .

technology

Let's Encrypt has an RSA root certificate that is stored in a hardware security module and is not used directly. It is to be supplemented by an ECDSA master certificate in the third quarter of 2019 . This signs several intermediate certificates, which are countersigned by the IdenTrust certification authority . One of these is then used to sign the certificates issued, the other as a replacement in the event of problems with the first. With the IdenTrust signature, the certificates issued can be checked in common web browsers via the pre-installed root certification authorities. Let's Encrypt certificates are generally accepted on the client side from the start. Since the end of July 2018, the Let's Encrypt root certificate has been represented in all important root programs.

protocol

Let's Encrypt uses the Automatic Certificate Management Environment (ACME) challenge-response process to automate certification . Various requests are made either to subpages on the web server or direct DNS requests to the domain to be certified. In both cases, a token previously created by Let's Encrypt is either publicly stored on a special subpage on the web server or as a TXT resource record in the DNS of the domain in question and queried by the Let's Encrypt server in sequence. Based on the response to the token ensures that the applicant is the web server directly or the name server controls and the related domain ( english domain validation ).

These queries must be answered correctly on the server system. The protocol offers various options for this. In one is adapted from the ACME client software a particularly configured TLS server, which means Server Name Indication on special requests of the certification body responds (domain validation using Server Name Indication, DVSNI). However, this procedure is only accepted for a first certificate issue for a domain (so-called “trust on first use”, TOFU - trust on first use). Then the alternative validation via an existing certificate is used. If you lose control of a certificate that has already been issued, a certificate must be purchased from a third party in order to receive a Let's Encrypt certificate again.

The validation procedures are carried out several times over different network paths. In order to make DNS spoofing more difficult , the examination of DNS entries is provided from several geographically distributed positions.

In ACME interactions, JSON documents are exchanged over HTTPS connections. The protocol was published in March 2019 by the Internet Engineering Task Force as a Request for Comments in the status of a proposed Internet standard .

Server implementation

Domain selection dialog

The certification authority essentially consists of a piece of software called Boulder written in Go , which implements the server side of the ACME protocol. It is distributed as free software also in source text form under the conditions of Version 2 of the Mozilla Public License (MPL). It provides a REST - programming interface available that can be accessed encrypted TLS on.

For various Linux distributions there are packages that automatically perform the Cert updates, such as the Certbot package for Debian .

Clients

The open ACME standard has meanwhile developed over 40 different clients.

Under the project, one is Apache licensed Python - reference implementation called certbot (formerly letsencrypt ) developed. This is used to request the certificate from the applicant's web server, carry out the domain validation process, install the certificate, set up HTTPS encryption in the web server and later regularly renew the certificate. After installation and approval of a user contract, the execution of the command is sufficient to get a valid certificate installed. However, additional functions such as OCSP stapling or HTTP Strict Transport Security (HSTS) can also be set. The automatic setup initially only works with Apache and nginx . The client can be installed from the package sources of various Linux distributions, for example from the Debian package sources .

There is also acmetool, a client written in Go with precompiled , static program files . The Get HTTPS for free! validates a certificate via JavaScript in the web browser, whereby the web administrator receives instructions for various manual steps. Caddy is an HTTP / 2 -compatible web server that automatically generates a certificate and delivers content via HTTPS. Another widespread client is acme-tiny, a client written in Python, it is less than 200 lines long and should therefore be read by every user before use.

History and schedule

The roots of the project lie in a project operated by the Electronic Frontier Foundation together with the University of Michigan and an independent project by Mozilla, which were brought together in Let's Encrypt. The supporting organization, the ISRG, was founded in 2014. The launch of Let's Encrypt was announced on November 18, 2014.

On January 28, 2015, the ACME protocol was first submitted to the IETF for standardization. On April 9, 2015, the ISRG and the Linux Foundation announced their collaboration. The root and intermediate certificates were generated at the beginning of June. On June 16, the final start-up schedule was announced, according to which the issuance of the first certificate was scheduled for the week of July 27, followed by a period of restricted issuance to test security and scalability. On August 7th, the schedule was changed to the first certificate issue in the week of September 7th and general availability in the week of November 16. As of December 3, 2015, the project was in the open beta test phase and has been available to anyone interested since then.

On March 8, 2016 it was announced that over a million certificates had already been issued. A month and a half later, over two million certificates were issued, another one and a half months later over five million certificates were issued. A significant part of the growth is due to collaborations with web hosting providers such as WordPress.com (over 1 million additional sites), who offer TLS encryption with Let's Encrypt certificates for managed websites or who have converted them independently. From the opening of operations to June 22, 2016, according to measurements by the browser manufacturer Mozilla, the global share of encrypted websites increased from 39.5 to 45 percent.

On March 17, 2016, the project announced that it had joined the CA / Browser Forum , which regulates the use of X.509 v.3 certificates for TLS.

On April 12, 2016, the project went from the open beta phase to official regular operation.

Let's Encrypt has also been offering so-called wildcard certificates since March 13, 2018 .

On February 27, 2020 Let's Encrypt issued the one billionth certificate. Shortly thereafter, Let's Encrypt had to withdraw 3 million certificates because the DNS Certification Authority Authorization was not adequately checked when they were issued.

See also

Web links

Commons : Let's Encrypt  - collection of pictures, videos and audio files

swell

  1. Josh Aas, ISRG Executive Director: Looking Forward to 2019. Let's Encrypt, December 31, 2018, accessed on January 26, 2019 .
  2. Josh Aas: What It Costs to Run Let's Encrypt. Let's Encrypt, September 20, 2016, accessed January 26, 2019 .
  3. Sean Michael Kerner: Let's Encrypt Effort Aims to Improve Internet Security. In: eWeek.com. Quinstreet Enterprise, November 18, 2014, accessed February 27, 2015 .
  4. ^ Peter Eckersley: Launching in 2015: A Certificate Authority to Encrypt the Entire Web. In: eff.org. Electronic Frontier Foundation , November 18, 2014, accessed February 27, 2015 .
  5. Liam Tung (ZDNet), November 19, 2014: EFF, Mozilla to launch free one-click website encryption
  6. a b c d Fabian Scherschel (heise.de), November 19, 2014: Let's Encrypt: Mozilla and the EFF stir up the CA market
  7. ^ Rob Marvin (SD Times), November 19, 2014: EFF wants to make HTTPS the default protocol
  8. Richard Barnes (Mozilla), April 30, 2015: Deprecating Non-Secure HTTP
  9. ^ The Chromium Projects - Marking HTTP As Non-Secure
  10. Glyn Moody, November 25, 2014: The Coming War on Encryption, Tor, and VPNs - Time to stand up for your right to online privacy
  11. Steven J. Vaughan-Nichols (ZDNet), April 9, 2015: the web once and for all: The Let's Encrypt Project
  12. Zeljka Zorz (Help Net Security), July 6, 2015: Let's Encrypt CA releases transparency report before its first certificate
  13. a b Sean Michael Kerner (eweek.com), April 9, 2015: Let's Encrypt Becomes Linux Foundation Collaborative Project  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Dead Link / www.eweek.com  
  14. Upcoming Features - Let's Encrypt - Free SSL / TLS Certificates. Retrieved March 19, 2019 .
  15. Reiko Kaps (heise.de), June 17, 2015: SSL certification authority Lets Encrypt will open in mid-September 2015
  16. a b Reiko Kaps (heise.de), June 5, 2015: Let's Encrypt: Milestone for free SSL certificates for everyone
  17. Let's Encrypt Root Trusted By All Major Root Programs - Let's Encrypt - Free SSL / TLS Certificates. Retrieved March 19, 2019 .
  18. a b Chris Brook (Threatpost), November 18, 2014: EFF, Others Plan to Make Encrypting the Web Easier in 2015
  19. RFC 8555 . - Automatic Certificate Management Environment (ACME) . March 2019. (English).
  20. github.com
  21. packages.debian.org
  22. ^ List of Client Implementations. In: Let's Encrypt Community Support. October 25, 2015, accessed March 25, 2016 .
  23. ACME Client Implementations. In: Documentation - Let's Encrypt - Free SSL_TLS Certificates. July 10, 2019, accessed July 21, 2019 .
  24. github.com
  25. James Sanders (TechRepublic), November 25, 2014: Let's Encrypt initiative to provide free encryption certificates
  26. ITP: letsencrypt - Let's Encrypt client that can update Apache configurations
  27. acmetool. In: hlandau.github.io. Retrieved March 25, 2016 .
  28. Get HTTPS for free! In: gethttpsforfree.com. Retrieved March 25, 2016 .
  29. Caddy - The HTTP / 2 Web Server with Fully Managed SSL. In: caddyserver.com. Retrieved March 25, 2016 .
  30. GitHub - diafygi / acme-tiny: A tiny script to issue and renew TLS certs from Let's Encrypt. In: github.com. Retrieved March 2, 2017 (English).
  31. Joseph Tsidulko: Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode. In: crn.com. November 18, 2014, accessed August 26, 2015 .
  32. ^ R. Barnes, P. Eckersley, S. Schoen, A. Halderman, J. Kasten: Automatic Certificate Management Environment (ACME) draft-barnes-acme-01 . January 28, 2015.
  33. Josh Aas: Let's Encrypt Launch Schedule . Let's Encrypt. June 16, 2015. Accessed June 19, 2015.
  34. Updated Let's Encrypt Launch Schedule . 17th August 2015.
  35. Entering Public Beta. Retrieved December 4, 2015 .
  36. heise online: Let's Encrypt: 1 million certificates issued. In: heise online. Retrieved March 9, 2016 .
  37. Dennis Schirrmacher (heise online), June 23, 2016: Five million certificates: Let's Encrypt is growing rapidly
  38. heise online: Let's Encrypt joins CA / Browser Forum. In: heise online. Retrieved March 20, 2016 .
  39. Let's Encrypt Leaves Beta . Archived from the original on April 15, 2016. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved April 17, 2016.  @1@ 2Template: Webachiv / IABot / www.linuxfoundation.org
  40. ACME v2 and Wildcard Certificate Support is Live. Retrieved March 14, 2018 .
  41. https://www.heise.de/security/meldung/Erfaltsgeschichte-Let-s-Encrypt-stellen-einmilliardstes-Zertifikat-aus-4673299.html
  42. https://letsencrypt.org/2020/02/27/one-billion-certs.html
  43. https://www.heise.de/security/meldung/Achtung-Let-s-Encrypt-macht-heute-nacht-3-Millionen-Zertifikate-ungueltig-4676017.html