EFF’s Let’s Encrypt Client Certbot Debuts in Beta

The Electronic Frontier Foundation (EFF) on Thursday announced Certbot, a Let’s Encrypt client designed to help websites encrypt their traffic.

EFF’s Certbot is available in beta for the time being, but it should reach a stable version before the end of this year, the Foundation said. The tool was built to obtain TLS/SSL certificates from open Certificate Authority (CA) Let’s Encrypt and to automatically configure HTTPS encryption on the website owner’s server.

Co-founded by EFF, Mozilla and researchers from the University of Michigan, Let’s Encrypt is an open CA that issued its first certificate in September last year, entered public beta in December, and shed the beta tag in April this year. The main idea behind this CA was to bring encryption to the entire Internet by offering free certificates to website owners.

Between December and March, Let’s Encrypt issued more than one million certificates, and EFF says that the number not tops three million. Although its free certificates have been already abused by cybercriminals, Let’s Encrypt has become one of the largest CAs in the world and has already inspired Amazon to offer free certificates to AWS customers.

Certbot, which has transitioned to becoming an EFF project, uses the Automated Certificate Management Environment (ACME) protocol to communicate with the CA, but is no longer the official ACME client for use with Let’s Encrypt. The software for the client remains open source, but it will no longer be hosted by ISRG, the parent organization of Let’s Encrypt, EFF explains.

Certbot also got a new website, complete with frequently asked questions, an interactive instruction tool, and info on how to support the project. Website owners can obtain the specific commands to have Certbot up and running in the easiest manner: by selecting their operating system and webserver.

The team behind Certbot has attempted to make the transition to the client’s new name as seamless as possible and ensure that packages installed from PyPI, letsencrypt-auto, and third party plugins would continue to work. EFF says that OS packages will begin using the Certbot name in the next few weeks and that the current client packages will automatically transition to Certbot on many systems, but will continue to support the letsencrypt command.

Certbot should continue to work as before, despite the new name and host: it will get certificates from Let’s Encrypt and automatically configure HTTPS on the owner’s webserver, EFF says. The client also offers the option to install certificates for a wide range of web server platforms, and can help admins get the security settings for their systems right.

Later this year, EFF says that it will attempt to help web developers with challenging tasks that make TLS deployment difficult. These include detection and mitigation of mixed content problems; detection of sites ready for an HSTS header and gradual deployment of the header; realtime mitigation against TLS vulnerabilities such as Heartbleed, BEAST, CRIME, Logjam, DROWN; and support for installing certificates and provide security improvements to popular email server software.