From the site linked to above:

With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

Good move. But this may put many cheap HTTPS certificate issuers out of business. The advanced certificats that verify company existance will still have the edge.

This can only be a good move..

But this may put many cheap HTTPS certificate issuers out of business.

Given that the same basic cheap SSL cert can vary in price from $49.00 to $4.99 per year ( same cert authority, exactly the same cert ) depending on if one buys the cert independently $4.99, or if one's host insists upon it ( bought from them at $49.99 ) in order to give one a dedicated IP ( using IPv4 )..

One of my domain registrants ( French ) gives a basic cert with each domain name ..and one of my French hosters offers a dedicated IP free providing one has a cert..

They also offer IPv6 at no extra charge, as does my ISP.

My previous hosters ( USA ) asked for $2.00 per month for each dedicated IP..and $49.00 per cert in order to have the dedicated IP..and IPv6 was ( and still is ) out of the question from them..Very big well known hosts both of them..

Basic certs have been used as a racket for far too long, and "wildcard certs" and certs that can be used on shared hosting are also used as a license to print money by some hosts and cert authorities..

The result has been far too many unsecured connections due to unjustifiable price gouging..

I've just sent this link to my host, his response will be interesting since i know he was working on "something".

Misguided efforts.

What does this really accomplish? How much hacking is going on due to unencrypted connections? None that I've ever heard of. Hackers aren't generally listening in on live communications. They hack websites via unsecure code and steal data. That's a big problem. Encrypting communciations is a small to miniscule problem.

If they want free encryption, then all the browsers need to do is quit checking for authorized cert providers. Pretty much anyone can already generate their own free certificates (any linux server can do this) - free isn't the problem. the certificate generator not being recognized by browsers is the problem.

And further, don't confuse encrypted (SSL cert) with secure. With SSL, the connection between point A and point B is secure, but if the machine on either end is hacked, then SSL makes absolutely no difference at all.

How much hacking is going on due to unencrypted connections?

Who mentioned hacking ?..no-one..until you did..

It is about secure ( from snooping )private communications..and trust..and preventing ( as much as one can ) "site spoofing"..

The only "losers" if this goes ahead..are those who are gouging, selling basic SSL certs..

And further, don't confuse encrypted (SSL cert) with secure. With SSL, the connection between point A and point B is secure, but if the machine on either end is hacked, then SSL makes absolutely no difference at all.

That is like saying you shouldn't wear seat belts or use airbags because you might get T-Boned deliberately at any moment while driving your car..

That is like saying you shouldn't wear seat belts or use airbags because you might get T-Boned deliberately at any moment while driving your car..

Uh, no it's not. Nobody is hacking data during transmission. Or so few that it's effectively 'nobody'.

Who mentioned hacking ?..no-one..until you did..

The OP mentions 'secure' protocols. If its not secure from hacking, then what? Snooping? Again, nobody's snooping this traffic other than gov't agencies.

If everyone used HTTPS, it would do exactly nothing in terms of practical security measures for consumers. Nothing. SSL certs protect an area that's not an issue to start with.

The only "losers" if this goes ahead..are those who are gouging, selling basic SSL certs..

The problem isn't those selling certs. You know you can already create your own certs for free, right? And those certs are every bit as encrypted as the paid ones. So why don't you use those?

And the answer is...because the orgs creating the browsers have an approved list of certificate signing authorities. If you're not on that list, then browsers will error message your certificates. That's why you can't have free certs - because the browsers will scream at your visitors if you do so.

So if this consortium wanted to actually 'encrypt the web', all they have to do is remove the list of signing authorities from their browsers, and accept anyone's certificates - that we could now easily generate for free.

And in fact, I do use self-signed certificates in my business - for internal use. The browsers complain, and we override the complaint. No security issues at all.

So why are they not doing that? I don't know, and don't care - but it's interesting when you look at the members of this consortium looking to 'encrypt' the web...while it seems also still controlling certificate signing.

How much hacking is going on due to unencrypted connections?

I don't know that anyone has quantified how often it happens, but there are people specifically skimming public wifi (coffee shops, airports, etc) with bad intent.

I agree that it's not the main problem, but it is a problem.

it's interesting when you look at the members of this consortium looking to 'encrypt' the web.

I suspect Akamai and CISCO understand that it will drive more network use, and thus sales. HTTPS "everywhere" would invalidate a ton of end-user shared caches that corporations and even some ISP's (search for "Google Global Cache") leverage.

I'm more curious about Google's motivation for moving the entire web to HTTPS. My best guess is that that it's related to the "Google Global Cache", where Google certs+content are served locally. That means the move doesn't affect them much in terms of response times, costs, etc. But, it may hurt their competitors, since they don't have a similar solution. Or maybe they are still pissed about the NSA successfully doing a MITM attack on their datacenter.

Affordable SSL certs should have been a goal prior to encrypting the web if that's really what they want to do. But if user safety and privacy is a major concern, why can't we just have an on/off switch to easily kill Google's many data logging products and services? Everywhere I go I see all kinds of Google API calls, which in my opinion is more of a threat to my privacy than seeing what the weather will be like tomorrow on a https website.

But if user safety and privacy is a major concern, why can't we just have an on/off switch to easily kill Google's many data logging products and services?

I think that's probably beyond the purview of EFF, Mozilla, Cisco, and Akamai. :-)

I think that's probably beyond the purview of EFF...

[eff.org...]

Price of SSL certs is not the problem. Problem is 1, price of a new IP. 2, Cost of changing ip on a server and moving website from http to https. These are not simple one click stuff.

Smaller sites will never move to https in the current environment is my prediction. And btw, it's all about the US mass surveillance.

SSL cert ownership is vetted and owners scrutinised, resulting in certificated authenticity.

Giving away free certs undermines all of that!

This is like telling the public to use a paper shredder to protect their identity. It makes them feel good while the big guys do, take, spy on whatever they want. I guess a false sense of security is better than none.

Nobody is hacking data during transmission. Or so few that it's effectively 'nobody'.

Comcast is using javascript to inject cute little ads into pages served by their mobile hotspots. Interstitial ads on everyone's content from all ISP's can't be far behind.

The big problem with SSL certificates is that you can't use them on hosting with shared IPs. I.e. small sites on shared hosting or sites using the cloud won't be able to switch to SSL, even if the certificates are given away for free.

It is not a flaw in the certificates themselves, but a design flaw in the SSL protocol which first negotiates about the certificate, and only after the encrypted connection is established sends the HTTP request headers with the domain name. If the first contact would have been unencrypted and the Host header was sent to the server over that unencrypted connection, the server would have had the possibility to select the correct certificate for the request, even on a shared IP address. FTP and SMTP encryption use this route where encryption can be switched on during the communication process on the fly.

The only option to have one IP with multiple HTTPS domains on one IP is using a wildcard certificate. I use a *.example.com wildcard on one of my domains and it switches in the <VirtualHost> section between the sites with a RewriteMap. Installing a *.com certificate would make it possible to have all .com sites with SSL on a server on one IP address, but certification authorities are certainly not willing to issue such a certificate to us and self-signing a *.com certificate will give error messages in all browsers.

You can use SNI [en.wikipedia.org ] to bypass the shared IP problem. All modern browsers can handle SNI. The major problem is IE on Windows XP.