Changing a website domain into a secure one just got easier. The Electronic Frontier Foundation (EFF) announced today that the certificate authority Let’s Encrypt reached one million issued certificates that turn domains from HTTP to HTTPS, making them more secure.
“Let’s Encrypt is a key piece of the puzzle that could let us build a web where sites are secure by default,” EFF Technology Projects Director Peter Eckersley tells Inverse.
Because a single certificate covers multiple domain names, Let’s Encrypt’s million certificates covers 2.5 million domain names. It has reached over 90 percent of the domains that were previously unable to become a valid HTTPS, according to the EFF.
The service issued its first certificate in September 2015, reached 250,000 certificates on January 4, and 500,000 on February 3.
HTTP domains are extremely vulnerable, which is a huge obstacle for those trying to create a secure and open internet. Currently, these unprotected sites dominate the majority of the internet — approximately 58 percent, according to Eckersley. While some web browsers like Google Chrome and Firefox have begun notifying users whether or not they are on an unencrypted insecure domain, HTTP is the default protocol whenever a new domain is created. This is a problem when owners want to protect their sites and its visitors from threats, such as identity theft and email hacks.
“In some cases, ISPs have even gone so far as to modify pages to inject their own ads and tracking code into insecure HTTP pages,” says Eckersley.
A secure domain can put a stop to many of these problems. However, converting to HTTPS is an error-prone process that often takes over an hour for system administrators to ensure the domain is fully secure. The website administrator must also buy a digital certificate from a certificate authority. Cheaper certificates are around $20 to $70 per year, which can add up if you’re hosting multiple domains.
Let’s Encrypt is free and reduces the protocol to a couple steps. It does a background check using a protocol called Automated Certificate Management Environment to confirm that the web server truly controls the domain that’s being converted. If it’s an authorized match, then Let’s Encrypt will automatically install the secure digital certificate for the system administrator so no errors are introduced during the switch.
They have also developed a second software that domain owners can download and request and install digital certificates from Let’s Encrypt. The product will be renamed and reissued in the next couple months, says Eckersley.
Let’s Encrypt is free and open to anyone with a domain name. Development started three years ago, but the beta client has only been made public for a little over three months. Eckersley believes there is still much more work to do to achieve a secure internet, but issuing a million certificates in such a short amount of time shows progress, he says.
“For Internet users, this means there’s a better chance that each site you go to will be using encryption, and using it correctly,” says Eckersley.