Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

EFF’s Let’s Encrypt Client Certbot Debuts in Beta

The Electronic Frontier Foundation (EFF) on Thursday announced Certbot, a Let’s Encrypt client designed to help websites encrypt their traffic.

The Electronic Frontier Foundation (EFF) on Thursday announced Certbot, a Let’s Encrypt client designed to help websites encrypt their traffic.

EFF’s Certbot is available in beta for the time being, but it should reach a stable version before the end of this year, the Foundation said. The tool was built to obtain TLS/SSL certificates from open Certificate Authority (CA) Let’s Encrypt and to automatically configure HTTPS encryption on the website owner’s server.

Co-founded by EFF, Mozilla and researchers from the University of Michigan, Let’s Encrypt is an open CA that issued its first certificate in September last year, entered public beta in December, and shed the beta tag in April this year. The main idea behind this CA was to bring encryption to the entire Internet by offering free certificates to website owners.

Between December and March, Let’s Encrypt issued more than one million certificates, and EFF says that the number not tops three million. Although its free certificates have been already abused by cybercriminals, Let’s Encrypt has become one of the largest CAs in the world and has already inspired Amazon to offer free certificates to AWS customers.

Certbot, which has transitioned to becoming an EFF project, uses the Automated Certificate Management Environment (ACME) protocol to communicate with the CA, but is no longer the official ACME client for use with Let’s Encrypt. The software for the client remains open source, but it will no longer be hosted by ISRG, the parent organization of Let’s Encrypt, EFF explains.

Certbot also got a new website, complete with frequently asked questions, an interactive instruction tool, and info on how to support the project. Website owners can obtain the specific commands to have Certbot up and running in the easiest manner: by selecting their operating system and webserver.

The team behind Certbot has attempted to make the transition to the client’s new name as seamless as possible and ensure that packages installed from PyPI, letsencrypt-auto, and third party plugins would continue to work. EFF says that OS packages will begin using the Certbot name in the next few weeks and that the current client packages will automatically transition to Certbot on many systems, but will continue to support the letsencrypt command.

Certbot should continue to work as before, despite the new name and host: it will get certificates from Let’s Encrypt and automatically configure HTTPS on the owner’s webserver, EFF says. The client also offers the option to install certificates for a wide range of web server platforms, and can help admins get the security settings for their systems right.

Later this year, EFF says that it will attempt to help web developers with challenging tasks that make TLS deployment difficult. These include detection and mitigation of mixed content problems; detection of sites ready for an HSTS header and gradual deployment of the header; realtime mitigation against TLS vulnerabilities such as Heartbleed, BEAST, CRIME, Logjam, DROWN; and support for installing certificates and provide security improvements to popular email server software.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Security Architecture

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...