Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

EFF’s Let’s Encrypt Client Certbot Debuts in Beta

The Electronic Frontier Foundation (EFF) on Thursday announced Certbot, a Let’s Encrypt client designed to help websites encrypt their traffic.

The Electronic Frontier Foundation (EFF) on Thursday announced Certbot, a Let’s Encrypt client designed to help websites encrypt their traffic.

EFF’s Certbot is available in beta for the time being, but it should reach a stable version before the end of this year, the Foundation said. The tool was built to obtain TLS/SSL certificates from open Certificate Authority (CA) Let’s Encrypt and to automatically configure HTTPS encryption on the website owner’s server.

Co-founded by EFF, Mozilla and researchers from the University of Michigan, Let’s Encrypt is an open CA that issued its first certificate in September last year, entered public beta in December, and shed the beta tag in April this year. The main idea behind this CA was to bring encryption to the entire Internet by offering free certificates to website owners.

Between December and March, Let’s Encrypt issued more than one million certificates, and EFF says that the number not tops three million. Although its free certificates have been already abused by cybercriminals, Let’s Encrypt has become one of the largest CAs in the world and has already inspired Amazon to offer free certificates to AWS customers.

Certbot, which has transitioned to becoming an EFF project, uses the Automated Certificate Management Environment (ACME) protocol to communicate with the CA, but is no longer the official ACME client for use with Let’s Encrypt. The software for the client remains open source, but it will no longer be hosted by ISRG, the parent organization of Let’s Encrypt, EFF explains.

Certbot also got a new website, complete with frequently asked questions, an interactive instruction tool, and info on how to support the project. Website owners can obtain the specific commands to have Certbot up and running in the easiest manner: by selecting their operating system and webserver.

The team behind Certbot has attempted to make the transition to the client’s new name as seamless as possible and ensure that packages installed from PyPI, letsencrypt-auto, and third party plugins would continue to work. EFF says that OS packages will begin using the Certbot name in the next few weeks and that the current client packages will automatically transition to Certbot on many systems, but will continue to support the letsencrypt command.

Certbot should continue to work as before, despite the new name and host: it will get certificates from Let’s Encrypt and automatically configure HTTPS on the owner’s webserver, EFF says. The client also offers the option to install certificates for a wide range of web server platforms, and can help admins get the security settings for their systems right.

Later this year, EFF says that it will attempt to help web developers with challenging tasks that make TLS deployment difficult. These include detection and mitigation of mixed content problems; detection of sites ready for an HSTS header and gradual deployment of the header; realtime mitigation against TLS vulnerabilities such as Heartbleed, BEAST, CRIME, Logjam, DROWN; and support for installing certificates and provide security improvements to popular email server software.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.