Let's Encrypt goes public beta: HTTPS is everywhere, everyone, now and forever free
Let's Encrypt is a non-profit initiative that provides a free, automated and open CA (certificate authority - certification authority) created by ISRG for the benefit of society:
- free of charge : the owner of any domain name can use Let's Encrypt and get a trusted (read as “recognized by any modern browser”) TLS certificate (TLS - the successor to SSL) is completely free ;
- Automated : Let's Encrypt provides free and free software (client), which, when configured on a web server, can fully automatically request for free Let's Encrypt certificates, automatically configure and update them;
- secure : Let's Encrypt is built as a platform to promote TLS best security practices both on the certification authority (CA) side and on the website side, helping administrators properly configure web servers;
- transparent : information on the issue and revocation of each Let's Encrypt certificate is available quite and publicly so that anyone who wants to study it can do it;
- free : CA interaction protocols that automate the process of issuing and renewing certificates will be published as an open standard for maximum implementation;
- cooperative : like any protocol that underlies the Internet and the World Wide Web, Let's Encrypt is a joint, non-profit, non-profit, non-profit project created exclusively to benefit society.
Let's Encrypt goes into open beta today, December 3, 2015. Public beta means that all Let's Encrypt systems are made available to anyone who would like to receive a certificate. You no longer need to register to wait for an invite.
Closed beta testing of Let's Encrypt began on September 12, 2015, and since then more than 11 thousand certificates have been issued , and this experience has given Let's Encrypt the confidence that all systems are ready for public beta.
For the World Wide Web, it is finally time to take a big step towards security, privacy and encryption. Let's Encrypt was created in order to make HTTPS the default standard, and to achieve this goal, the work of the new CA provides the maximum simplification of the processes of obtaining, updating, revoking and managing certificates.
Let's Encrypt still has a lot of work before the “beta” mark can be completely reset, in particular in the area of the user work process: the emphasis is on automation, and therefore a lot of effort will be spent on ensuring the client works flawlessly on a wide range of platforms, for which Let's Encrypt will closely monitor user reviews, study them and make the necessary improvements in the work as soon as possible.
Let's Encrypt depends on supporting a wide variety of organizations and individuals. Please consider participating, and if your company or organization wishes to help, you can write here .
Why are certificate lifetimes only 90 days?
This question has been raised repeatedly: yes, Let's Encrypt issues certificates with a lifetime of 90 days; people asking this question are usually convinced that 90 days is too short and that it would be nice if Let's Encrypt issued certificates that live a year or more, as some other CAs do.
90-day certificates are nothing new for the World Wide Web. According to Firefox telemetry, 29% of all TLS transactions use 90-day certificates, and no other lifetime accounts for a large share of transactions. Let's Encrypt's point of view is that short certificate lifetimes have two main, main advantages:
- limiting damage from compromised keys and incorrectly issued certificates, since they are used for a shorter period of time;
- short-lived certificates support and encourage automation, which is absolutely essential for the ease of use of HTTPS. If we are going to migrate the entire World Wide Web to HTTPS, then we can not expect manual renewal of certificates from the administrator of each existing site. As soon as the issuance and renewal of certificates becomes fully automated, the shorter lifetimes of certificates, on the contrary, will become more convenient and practical.
For these reasons, Let's Encrypt does not offer certificates with long lifetimes, but since it is also quite clear that the Let's Encrypt service is still young and that automatic certificate management is new to the vast majority of subscribers, it was the 90-day lifetime that was chosen as still delivering a time period sufficient for comfortable manual updating (Let's Encrypt recommends that its subscribers renew their certificates every 60 days) if this is necessary for any reason. However, however, as soon as the automatic certificate renewal software is massively implemented and shows its reliability and stability, Let's Encrypt plans to reduce the maximum lifetime even more.