We don’t often write obituaries on Naked Security, but this is one of the times we’re going to.
You might not have heard of Peter Eckersley, PhD, but it’s very likely that you’ve relied on a cybersecurity innovation that he not only helped to found, but also to build and establish across the globe.
In fact, if you’re reading this article right on the site where it was originally published, Sophos Naked Security, you’re directly reaping the benefits of Peter’s work right now.
If you click on the padlock in your browser [2022-09-0T22:37:00Z], you’ll see that this site, like our sister blog site Sophos News, uses a web certificate that’s vouched for by Let’s Encrypt, now a well-established Certificate Authority (CA).
Let’s Encrypt, as a CA, signs TLS cryptographic certificates for free on behalf of bloggers, website owners, mail providers, cloud servers, messaging services…
…anyone, in fact, who needs or wants a vouched-for encryption certificate, subject to some easy-to-follow terms and conditions.
Remember that web certificates can’t, and don’t, vouch for the actual content that you ultimately serve up. But they do, and they can, provide evidence that you have demonstrated in some way that you actually control the internet domains that you claim to own, without which everyone could casually claim to be someone else, and anyone could easily phish or snoop on almost everyone.
A “wild idea” made real
As one of Peter’s former colleagues, Seth Schoen, wrote earlier today on the Let’s Encrypt community forum:
I’m devastated to report that Peter Eckersley […], one of the original founders of Let’s Encrypt, died earlier this evening [2022-09-02] at CPMC Davies Hospital in San Francisco.
Peter was the leader of EFF’s contributions to Let’s Encrypt and ACME over the course of several years during which these technologies turned from a wild idea into an important part of Internet infrastructure. […] You can find a very abbreviated version of this history in the Let’s Encrypt paper, to which Peter and I both contributed.
Peter had apparently revealed recently that he had been diagnosed with cancer – he turned just 43 shortly before midsummer’s day this year (or perhaps, given that he was originally from Melbourne in Australia, we should say midwinter’s day).
Making a confoundingly complex process simple, yet trustworthy
Let’s Encrypt wasn’t the first effort to try to build a free-as-in-freedom and free-as-in-beer infrastructure for online encryption certificates, but the Let’s Encrypt team was the first to build a free certificate signing system that was simple, scalable and solid.
As a result, the Let’s Encrypt project was soon able to to gain the trust of the browser making community, to the point of quickly getting accepted as a approved certificate signer (a trusted-by-default root CA, in the jargon) by most mainstream browsers.
Indeed, part of Let’s Encrypt’s appeal (and perhaps even its primary importance) is not just that you don’t have to pay a fee to get web certificates signed, but also that the whole process of generating, signing, validating, deploying and renewing certificates is free and easy (automatic, in fact!), yet safe and well thought out.
Before Let’s Encrypt, many website owners didn’t bother with HTTPS at all, and in many cases, especially for home users, charities, small businesses or hobbyists, the chief hassle wasn’t always the cost (though if you had several sites to protect, cost quickly became a big deal).
One of the chief hassles with HTTPS, until Let’s Encrypt came along, was… well, simply put, the hassle of it all.
The hassle of understanding the jargon, of generating the right sort of keypairs and certificates, of submitting the needed certificate signing requests, of actually paying the fee to have them processed, and of deploying them once the signing was done.
And then doing the same thing again, year after year, so that your keys and certificates didn’t expire and leave your visitors facing certificate warnings, or your website getting blocked.
Winning over the world
At first, the efforts of Let’s Encrypt weren’t universally popular, and some of the most vocal opponents (ironically, considering what Let’s Encrypt set out to do in terms of freedom and simplicity) came from the midst of those same hassled home users, hobbyists and boutique site operators whom we mentioned above.
A vigorous minority were somehow convinced that HTTPS was a con, a conspiracy, a cult…
…a coterie of cryptographic crusaders who were committed to compelling us all to use encryption, whether we wanted it or not.
Even for material that we wanted to make public! Even for content that was as boring and as uncontroversial as eating cornflakes for breakfast! Extra complexity with no obvious purpose! We never asked the “experts” to push HTTPS on us in the first place, not even for free!
Thanks to the perseverance, personality and persuasiveness of Peter Eckersley and his co-creators, however, we don’t hear those complaints much on Naked Security any more.
After all, end-to-end encryption of web traffic isn’t only about keeping the actual content you’re viewing confidential.
It’s also about keeping confidential the fact that you chose to view it (and when and where you did so), which really isn’t anyone else’s business.
It’s about preventing anyone who wants to from casually setting up a fake website that says it belongs to someone else, even to a well-known brand.
It’s about inhibiting the casual, continuous, warrantless surveillance of your web traffic by governments and cybercriminals alike.
And it’s about making it difficult for other internet users to fiddle with the content you’re reading along the way, or to tamper with the replies you send back, thus undetectably turning what you see and what you say into fake news, or stealing your passwords, or trashing your online reputation, or taking over your online accounts.
Ethics and safety of AI
In recent years, Peter founded the AI Objectives Institute, with the aim of ensuring that we pick the right social and economic problems to solve with AI:
We often pay more attention to how those goals are to be achieved than to what those goals should be in the first place. At the AI Objectives Institute, our goal is better goals.
…Peter Eckersley, may you read in peace.
And thanks for Let’s Encrypt.
It really has brought HTTPS to where it belongs – everywhere.