用户:Ignotus-CN/沙盒/Let's Encrypt

Let's Encrypt
成立时间2014年 (2014)
创始人电子前哨基金会
Mozilla基金会
密歇根大学
总部美国加利福尼亚州旧金山
服务X.509数字证书认证机构
上级组织
互联网安全研究小组英语Internet Security Research Group
网站letsencrypt.org

Let's Encrypt is a certificate authority that launched on April 12, 2016[1][2] that provides free X.509 certificates for Transport Layer Security encryption (TLS) via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation and renewal of certificates for secure websites.[3][4]

Overview

The project aims to make encrypted connections to World Wide Web servers ubiquitous.[5] By getting rid of payment, web server configuration, validation emails and dealing with expired certificates it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.[6] On a Linux web server, execution of only two commands is sufficient to set up HTTPS encryption and acquire and install certificates within 20 to 30 seconds.[7][8]

To that end, a software package was included into the official Debian software repositories.[9][10] Current initiatives of major browser developers such as Mozilla and Google to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt.[11][12] The project is acknowledged to have the potential to accomplish encrypted connections as the default case for the entire web.[13]

Only domain-validated certificates are being issued. Organization Validation and Extended Validation Certificates will not be offered.[14]

By being as transparent as possible, they hope to both protect their own trustworthiness and guard against attacks and manipulation attempts. For that purpose they regularly publish transparency reports,[15] publicly log all ACME transactions (e.g. by using Certificate Transparency), and use open standards and free software as much as possible.[7]

There is currently no plan to support wildcard certificates, though it has not been ruled out either. The reason given for the lack of support is that the ease of getting non-wildcard Let's Encrypt certificates issued makes wildcard certificates unnecessary,[16] though some users have opined that there are still use cases where wildcard certificates are easier to use or even technically necessary.[17]

Involved parties

Let's Encrypt is a service provided by the Internet Security Research Group (ISRG), a public benefit organization. Major sponsors are the Electronic Frontier Foundation (EFF), the Mozilla Foundation, Akamai, and Cisco Systems. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), the Stanford Law School, the Linux Foundation[18] as well as Stephen Kent from Raytheon/BBN Technologies and Alex Polvi from CoreOS.[7]

Technical Advisory Board

Technology

In June 2015, Let's Encrypt generated an RSA root certificate that is stored on a hardware security module which is kept offline.[19] The root certificate is used to sign two intermediate certificates[19] which are cross-signed by the certificate authority IdenTrust.[20][21] One of the intermediate certificates is used to sign issued certificates, while the other is kept offline as a backup in case of problems with the first intermediate certificate.[19] Because the IdenTrust certificate is preinstalled in major web browsers, Let's Encrypt certificates can normally be validated and are accepted out of the box right from the start,[22] even while no browser vendors include the ISRG root certificate as a trust anchor.

The Let's Encrypt developers planned to generate an ECDSA root certificate as well later in 2015,[19] which was pushed back to early 2016.[23][24]

Protocol

The challenge–response protocol used to automate enrolling with this new certificate authority is called Automated Certificate Management Environment (ACME). It involves various requests to the web server on the domain that is covered by the certificate. Based on whether the resulting responses match the expectations, control of the enrollee over the domain is assured (domain validation). In order to do that, the ACME client software sets up a special TLS server on the server system that gets queried by the ACME certificate authority server with special requests using Server Name Indication (Domain Validation using Server Name Indication, DVSNI).

The validation processes are run multiple times over separate network paths. Checking DNS entries is provisioned to be done from multiple geographically diverse locations to make DNS spoofing attacks harder to do.

ACME interactions are based on exchanging JSON documents over HTTPS connections.[25] A draft specification is available on GitHub,[26] and a version has been submitted to the Internet Engineering Task Force (IETF) as a proposal for an Internet standard.[27]

Software implementation

 
Domain selection dialogue

The certificate authority consists of a piece of software called Boulder, written in Go, that implements the server side of the ACME protocol. It is published as free software with source code under the terms of version 2 of the Mozilla Public License (MPL).[28] It provides a RESTful API that can be accessed over a TLS-encrypted channel.

An Apache-licensed[29] Python certificate management program called letsencrypt gets installed on the client side (the web server of an enrollee). This is used to order the certificate, to conduct the domain validation process, to install the certificate, to configure the HTTPS encryption in the HTTP server, and later to regularly renew the certificate.[7][30] After installation and agreeing to the user license, executing a single command is enough to get a valid certificate installed. Additional options like OCSP stapling or HTTP Strict Transport Security (HSTS) can also be enabled.[25] Automatic setup initially only works with Apache and nginx.

History and schedule

The Let's Encrypt project was started in 2012 by two Mozilla employees, Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan. Internet Security Research Group, the company behind Let's Encrypt, was incorporated in May 2013.[31]

Let's Encrypt was announced publicly on November 18, 2014.[32]

On January 28, 2015, the ACME protocol was officially submitted to the IETF for standardisation.[33] On April 9, 2015, the ISRG and the Linux Foundation declared their collaboration.[18] The root and intermediate certificates were generated in the beginning of June.[22] On June 16, 2015, the final launch schedule for the service was announced, with the first certificate expected to be issued sometime in the week of July 27, 2015, followed by a limited issuance period to test security and scalability. General availability of the service was originally planned to begin sometime in the week of September 14, 2015.[34] On August 7, 2015, the launch schedule was amended to provide more time for ensuring system security and stability, with the first certificate to be issued in the week of September 7, 2015 followed by general availability in the week of November 16, 2015.[35] The cross-signature from IdenTrust is planned to be available when Let's Encrypt opens for the public.[21]

On September 14, 2015, Let's Encrypt issued its first certificate, which was for the domain helloworld.letsencrypt.org. On the same day, ISRG submitted its root program applications to Mozilla, Microsoft, Google and Apple.[36]

On October 19, 2015, the intermediate certificates became cross-signed by IdenTrust, causing all certificates issued by Let's Encrypt to be trusted by all major browsers.[20]

On November 12, 2015, Let's Encrypt announced that general availability would be pushed back and that the first public beta will commence on December 3, 2015.[37]

On December 3, 2015, Let's Encrypt announced commencement of the public beta.[38]

On March 8, 2016, Let's Encrypt issued its millionth certificate after seven months of existence.[39] 44 days later, on April 21, 2016, they had issued over 2,000,000 certificates.[40]

On April 12, 2016, Let's Encrypt left Beta.[41]

Further reading

References

  1. ^ Josh Aas, ISRG Executive Director. Leaving Beta, New Sponsors. EFF. [April 12, 2016]. 
  2. ^ Catalin Cimpanu. Let's Encrypt Launched Today, Currently Protects 3.8 Million Domains. Softpedia News. [April 12, 2016]. 
  3. ^ Kerner, Sean Michael. Let's Encrypt Effort Aims to Improve Internet Security. eWeek.com. Quinstreet Enterprise. November 18, 2014 [February 27, 2015]. 
  4. ^ Eckersley, Peter. Launching in 2015: A Certificate Authority to Encrypt the Entire Web. Electronic Frontier Foundation. November 18, 2014 [February 27, 2015]. 
  5. ^ Technology - Let's Encrypt - Free SSL/TLS Certificates. Let's Encrypt. [January 6, 2016]. 
  6. ^ Liam Tung (ZDNet), November 19, 2014: EFF, Mozilla to launch free one-click website encryption
  7. ^ 7.0 7.1 7.2 7.3 Fabian Scherschel (heise.de), November 19, 2014: Let's Encrypt: Mozilla und die EFF mischen den CA-Markt auf
  8. ^ Rob Marvin (SD Times), November 19, 2014: EFF wants to make HTTPS the default protocol
  9. ^ ITP: letsencrypt – Let's Encrypt client that can update Apache configurations
  10. ^ https://tracker.debian.org/pkg/python-letsencrypt
  11. ^ Richard Barnes (Mozilla), April 30, 2015: Deprecating Non-Secure HTTP
  12. ^ The Chromium Projects – Marking HTTP As Non-Secure
  13. ^ Glyn Moody, November 25, 2014: The Coming War on Encryption, Tor, and VPNs – Time to stand up for your right to online privacy
  14. ^ Steven J. Vaughan-Nichols (ZDNet), April 9, 2015: the web once and for all: The Let's Encrypt Project
  15. ^ Zeljka Zorz (Help Net Security), July 6, 2015: Let's Encrypt CA releases transparency report before its first certificate
  16. ^ Frequently Asked Questions (FAQ) - Documentation - Let's Encrypt Community Support. Let's Encrypt. August 13, 2015 [January 6, 2016]. 
  17. ^ Please support wildcard certificates - Issuance Policy - Let's Encrypt Community Support. Let's Encrypt. [January 6, 2016]. 
  18. ^ 18.0 18.1 Sean Michael Kerner (eweek.com), April 9, 2015: Let's Encrypt Becomes Linux Foundation Collaborative Project
  19. ^ 19.0 19.1 19.2 19.3 Aas, Josh. Let's Encrypt Root and Intermediate Certificates. June 4, 2015. 
  20. ^ 20.0 20.1 Aas, Josh. Let's Encrypt is Trusted. October 19, 2015. 
  21. ^ 21.0 21.1 Reiko Kaps (heise.de), June 17, 2015: SSL-Zertifizierungsstelle Lets Encrypt will Mitte September 2015 öffnen
  22. ^ 22.0 22.1 Reiko Kaps (heise.de), June 5, 2015: Let's Encrypt: Meilenstein zu kostenlosen SSL-Zertifikaten für alle
  23. ^ Certificates. (原始内容存档于December 3, 2015). 
  24. ^ Aas, Josh. Elliptic Curve Cryptography (ECC) Support. August 13, 2015. (原始内容存档于December 12, 2015). 
  25. ^ 25.0 25.1 Chris Brook (Threatpost), November 18, 2014: EFF, Others Plan to Make Encrypting the Web Easier in 2015
  26. ^ Draft ACME specification. 
  27. ^ R. Barnes, P. Eckersley, S. Schoen, A. Halderman, J. Kasten. Automatic Certificate Management Environment (ACME) draft-barnes-acme-01. January 28, 2015. 
  28. ^ letsencrypt. boulder/LICENSE.txt at master · letsencrypt/boulder · GitHub. Github.com. [January 6, 2016]. 
  29. ^ letsencrypt. letsencrypt/LICENSE.txt at master · letsencrypt/letsencrypt · GitHub. Github.com. November 23, 2015 [January 6, 2016]. 
  30. ^ James Sanders (TechRepublic), November 25, 2014: Let's Encrypt initiative to provide free encryption certificates
  31. ^ Aas, Josh. Let’s Encrypt | Boom Swagger Boom. Boomswaggerboom.wordpress.com. November 18, 2014 [January 6, 2016]. 
  32. ^ Joseph Tsidulko. Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode. crn.com. November 18, 2014 [August 26, 2015] (英语). 
  33. ^ History for draft-barnes-acme
  34. ^ Josh Aas. Let's Encrypt Launch Schedule. letsencrypt.org. Let's Encrypt. June 16, 2015 [June 19, 2015]. 
  35. ^ Updated Let's Encrypt Launch Schedule. August 7, 2015. 
  36. ^ Michael Mimoso. First Let’s Encrypt Free Certificate Goes Live. Threatpost.com, Kaspersky Labs. [September 16, 2015]. 
  37. ^ Public Beta: December 3, 2015. November 12, 2015. 
  38. ^ Entering Public Beta - Let's Encrypt - Free SSL/TLS Certificates. Let's Encrypt. December 3, 2015 [January 6, 2016]. 
  39. ^ Aas, Josh. Our Millionth Certificate - Let's Encrypt - Free SSL/TLS Certificates. letsencrypt.org. March 8, 2016 [March 15, 2016]. 
  40. ^ https://www.eff.org/deeplinks/2016/04/lets-encrypt-reaches-2000000-certificates
  41. ^ Let's Encrypt Leaves Beta. LinuxFoundation.org. [17 April 2016].