Clever Geek Handbook
📜 ⬆️ ⬇️

Let's encrypt

Let's Encrypt is a certification authority that began working in beta mode on December 3, 2015 [3] , which provides free X.509 cryptographic certificates for TLS encryption ( HTTPS ). The process of issuing certificates is fully automated [4] [5] .

Let's encrypt
Administrative center
AddressSan Francisco, USA
Type of organization
Base
Established2014
Industry
ProductsX.509 Certificate Authority
Number of employees
  • 8 pax ( 2016 ) [2]
Parent organization
letsencrypt.org

Content

Tasks

The Let's Encrypt project was created so that most of the websites can switch to encrypted connections ( HTTPS ). Unlike commercial certification authorities, this project does not require payment, reconfiguration of web servers, use of email, processing of expired certificates, which makes the process of installing and configuring TLS encryption much simpler [6] . For example, on a typical Linux -based web server , you need to execute two commands that configure HTTPS encryption, receive and install a certificate in about 20-30 seconds [7] [8] .

A package with auto-tuning and certificate utilities is included in the official Debian distribution repositories [9] . Browser developers Mozilla and Google intend to phase out support for the unencrypted HTTP protocol by abandoning support for new web standards for http sites [10] [11] . The Let's Encrypt project has the potential to transfer most of the Internet to encrypted connections [12] .

Let's Encrypt Certificate Authority issues with a validity period of 90 days [13] . It is not planned to offer more reliable Organization Validation and Extended Validation Certificate [14] .

The project publishes a lot of information in order to protect against attacks and attempts at manipulation [15] . A public log of all ACME transactions is kept , open standards and open source programs are used [7] .

March 13, 2018 announced support for the " wildcard certificate " (certificates that include an unlimited number of subdomains) [16] , previously scheduled for February 27, 2018 [17] .

Members

The Let's Encrypt service is provided by the public organization (ISRG).

The main sponsors of the project: Electronic Frontier Foundation (EFF), Mozilla Foundation , Akamai , Cisco Systems .

The project partners are the certification center , University of Michigan (UM), , Linux Foundation [18] ; Stephen Kent (from Raytheon / ) and Alex Polvi (from CoreOS ) [7] .

Technology

In June 2015, a root RSA certificate was created for the Let's Encrypt project, the key for which is stored in a hardware module that is not connected to networks [19] . This root certificate is used to sign two intermediate certificates [19] , which were also signed by the IdenTrust Center [20] . One of the intermediate certificates is used to issue the final certificates of sites, the second is kept as a backup in a store not connected to the Internet, in case of problems with the first certificate [19] . Since the IdenTrust root certificate is preinstalled in most operating systems and browsers as a trusted root certificate, the certificates issued by the Let's Encrypt project are verified and accepted by clients [21] , despite the absence of the ISRG root certificate in the list of trusted ones.

Back in 2015 - early 2016, it was planned to generate a root certificate with a key using the ECDSA algorithm, but then the date was moved to 2018 [19] [22] [23] .

Site Authentication Protocol

To automatically issue a certificate to an end site, a challenge-response authentication protocol (challenge-response, challenge-response) called (ACME) is used. In this protocol, a series of requests are made to the web server that requested the signing of the certificate to confirm the fact of domain ownership ( domain validation ). To receive requests, the ACME client configures a special TLS server, which is polled by the ACME server using Server Name Indication ( Domain Validation using Server Name Indication , DVSNI).

Validation is carried out repeatedly, using various network paths. DNS records are polled from a variety of geographically distributed locations to complicate DNS spoofing attacks.

ACME protocol works by exchanging JSON documents via HTTPS connections [24] . A draft of the protocol is published on GitHub [25] and sent to the Internet Engineering Task Force (IETF) as a for the Internet standard [26] .

Software Implementation

 
Domain Select Dialog

The certification authority uses the Boulder ACME protocol server, written in the Go programming language (available in the source code under the Mozilla Public License 2) [27] . The server provides a RESTful protocol operating over a channel with TLS encryption.

The ACME protocol client, certbot (formerly letsencrypt ), is licensed under Apache [28] and is written in Python . This client is installed on the destination server and is used to request a certificate, conduct domain validation, install a certificate, and configure HTTPS encryption in a web server. In the future, this client is used to regularly reissue the certificate as it expires [7] [29] . After installing and accepting the license, just run one command to obtain a certificate. Additionally, the and HTTP Strict Transport Security (HSTS, forced switch from HTTP to HTTPS) options can be enabled [24] . The automatic configuration of the https server is initially available for the Apache and nginx web servers.

History

The Let's Encrypt project was initiated in late 2012 by two Mozilla employees, Josh Aas and Eric Rescorla. Internet Security Research Group was established in May 2013 to manage the project. In June 2013, the Electronic Frontier Foundation and University of Michigan projects were merged into Let's Encrypt [30] .

For the first time, the Let's Encrypt project was publicly announced on November 18, 2014 [31] .

On January 28, 2015, the ACME protocol was sent to the IETF for adoption as an Internet standard [32] .

On April 9, 2015, ISRG and the Linux Foundation announced a collaboration [18] . Root and intermediate certificates were created in early June [21] .

On June 16, 2015, plans to launch the service were announced, the first final certificates were issued at the end of July 2015 to test security and scalability. Wide availability of the service was planned for mid-September 2015 [33] . On August 7, 2015, plans were shifted; a wide launch of the service was postponed to mid-November [34] .

The signing of intermediate certificates from IdenTrust was planned for the period of the beginning of the wide availability of Let's Encrypt [20] .

On September 14, 2015, the first final certificate for the helloworld.letsencrypt.org domain was issued . On the same day, ISRG sent the public key of its root certificate for inclusion in the list of trusted companies Mozilla , Microsoft , Google and Apple [35] .

On November 12, 2015, Let's Encrypt postponed a wide beta release on December 3, 2015 [3] .

April 12, 2016 announced the end of the beta testing period [36] .

On June 28, 2017, Let's Encrypt announced the release of its 100 millionth certificate [37] .

On December 7, 2017, the public beta testing of wildcard certificates was announced starting January 4, 2018. The planned end date of the test period is February 27, 2018 [38] .

March 13, 2018 Let's Encrypt started issuing wildcard certificates, now everyone can get a free SSL / TLS certificate of the form * .example.com . [39] [40]

On August 6, 2018, Let's Encrypt announced that since the end of July 2018, all root root certificate lists including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry have trusted their ISRG Root X1 root certificate [41] [42] .

See also

  • Electronic signature
  • Certification Authority
  • Self-signed certificate
  • Digital certificate

Notes

  1. ↑ https://letsencrypt.org/contact/
  2. ↑ https://letsencrypt.org/2016/09/20/what-it-costs-to-run-lets-encrypt.html
  3. ↑ 1 2 Public Beta: December 3, 2015 (neopr.) (November 12, 2015).
  4. ↑ Kerner, Sean Michael. Let's Encrypt Effort Aims to Improve Internet Security (unspecified) . eWeek.com . Quinstreet Enterprise (November 18, 2014). Date of treatment February 27, 2015.
  5. ↑ Eckersley, Peter. Launching in 2015: A Certificate Authority to Encrypt the Entire Web (unopened) . Electronic Frontier Foundation (November 18, 2014). Date of treatment February 27, 2015.
  6. ↑ Liam Tung (ZDNet), November 19, 2014: EFF, Mozilla to launch free one-click website encryption
  7. ↑ 1 2 3 4 Fabian Scherschel (heise.de), November 19, 2014: Let's Encrypt: Mozilla und die EFF mischen den CA-Markt auf
  8. ↑ Rob Marvin (SD Times), November 19, 2014: EFF wants to make HTTPS the default protocol
  9. ↑ Details of the certbot package in stretch
  10. ↑ Richard Barnes (Mozilla), April 30, 2015: Deprecating Non-Secure HTTP
  11. ↑ The Chromium Projects - Marking HTTP As Non-Secure
  12. ↑ Glyn Moody, November 25, 2014: The Coming War on Encryption, Tor, and VPNs - Time to stand up for your right to online privacy
  13. ↑ Let's Encrypt Documentation. Release 0.2.0.dev0 / Let's Encrypt, December 18, 2015 “Let's Encrypt CA issues short lived certificates (90 days)”
  14. ↑ Steven J. Vaughan-Nichols (ZDNet), April 9, 2015: the web once and for all: The Let's Encrypt Project
  15. ↑ Zeljka Zorz (Help Net Security), July 6, 2015: Let's Encrypt CA releases transparency report before its first certificate
  16. ↑ ACME v2 and Wildcard Certificate Support is Live . Let's Encrypt Community Support. Date of appeal March 16, 2018.
  17. ↑ Wildcard Certificates Coming January 2018
  18. ↑ 1 2 Sean Michael Kerner (eweek.com), April 9, 2015: Let's Encrypt Becomes Linux Foundation Collaborative Project
  19. ↑ 1 2 3 4 Aas, Josh Let's Encrypt Root and Intermediate Certificates (Neopr.) (Jun 4, 2015).
  20. ↑ 1 2 Reiko Kaps (heise.de), June 17, 2015: SSL-Zertifizierungsstelle Lets Encrypt will Mitte September 2015 öffnen
  21. ↑ 1 2 Reiko Kaps (heise.de), June 5, 2015: Let's Encrypt: Meilenstein zu kostenlosen SSL-Zertifikaten für alle
  22. ↑ Certificates (neopr.) . Let's Encrypt . Archived December 3, 2015.
  23. ↑ Certificates (neopr.) . Let's Encrypt . Archived on October 9, 2017.
  24. ↑ 1 2 Chris Brook (Threatpost), November 18, 2014: EFF, Others Plan to Make Encrypting the Web Easier in 2015
  25. ↑ Draft ACME specification (neopr.) .
  26. ↑ R. Barnes, P. Eckersley, S. Schoen, A. Halderman, J. Kasten. Automatic Certificate Management Environment (ACME) draft-barnes-acme-01 (neopr.) (January 28, 2015).
  27. ↑ boulder / LICENSE.txt at masterLetsencrypt / boulderGitHub
  28. ↑ letsencrypt / LICENSE.txt at masterLetsencrypt / letsencryptGitHub
  29. ↑ James Sanders (TechRepublic), November 25, 2014: Let's Encrypt initiative to provide free encryption certificates
  30. ↑ Let's Encrypt | Boom swagger boom
  31. ↑ Joseph Tsidulko Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode (unopened) (November 18, 2014). Date accessed August 26, 2015.
  32. ↑ History for draft-barnes-acme
  33. ↑ Josh Aas. Let's Encrypt Launch Schedule (Neopr.) . letsencrypt.org . Let's Encrypt (June 16, 2015). Date of treatment June 19, 2015.
  34. ↑ Updated Let's Encrypt Launch Schedule (Neopr.) (August 7, 2015).
  35. ↑ Michael Mimoso. First Let's Encrypt Free Certificate Goes Live (Neopr.) . Threatpost.com, Kaspersky Labs. Date of appeal September 16, 2015.
  36. ↑ Let's Encrypt Leaves Beta (unopened) (unavailable link) (April 15, 2016). Date of treatment January 25, 2018. Archived on April 15, 2016.
  37. ↑ Milestone: 100 Million Certificates Issued - Let's Encrypt - Free SSL / TLS Certificates . letsencrypt.org. Date of treatment January 25, 2018.
  38. ↑ Looking Forward to 2018 - Let's Encrypt - Free SSL / TLS Certificates . letsencrypt.org. Date of treatment January 25, 2018.
  39. ↑ ACME v2 and Wildcard Certificate Support is Live . Let's Encrypt Community Support. Date of treatment June 28, 2018.
  40. ↑ Let's Encrypt began issuing wildcard certificates (Russian) . Date of treatment June 28, 2018.
  41. ↑ Let's Encrypt Root Trusted By All Major Root Programs
  42. ↑ Now all major root certificate lists are trusted by Let's Encrypt

Literature

  • Richard Barnes, Jacob Hoffman-Andrews, James Kasten, Automatic Certificate Management Environment (ACME) // IETF , Active Internet-Drafts, July 21, 2015

Links

  • letsencrypt.org - official website of Let's Encrypt
  • Let's Encrypt Projects on GitHub
  • Seth Schoen's Libre Planet 2015 lecture on Let's Encrypt
  • Technical introduction , David Wong
  • pde's talk on Let's Encrypt , CCCamp 2015
  • List of certificates issued by Let's Encrypt
Source - https://ru.wikipedia.org/w/index.php?title=Let's_Encrypt&oldid=97604718


More articles:

  • Dremov, Pavel Leonidovich
  • Qatar Navy
  • Skierniewice County
  • Adosinda
  • Mutual Defense Treaty (US - UK)
  • Remon, Victor Yurben
  • Ricci (Moon Crater)
  • Hunchbacks (Schelkovo district)
  • 1981 World Short Track Championships
  • Reichardia picroides

All articles

Clever Geek | 2019