At the start of 2023, we sunsetted the HTTPS Everywhere web extension.
It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible.
HTTPS Everywhere ended because all major browsers now offer the functionality to make HTTPS the default.
This is due to the grand efforts of the many technologists and advocates involved with Let's Encrypt, HTTPS Everywhere, and Certbot over the last 10 years.
While VPNs still serve a purpose, they are no longer necessary just to encrypt your traffic on the web.
Firefox reports that over 80% of the web is encrypted, and Google reports 95% over all of its services.
Let's Encrypt made much of this possible, by serving as a free and easily supported Certificate Authority that issued TLS certificates to 363 million websites.
Let's Encrypt differs from other prominent CAs.
Let's Encrypt from the start encouraged short-lived certificates that were valid for 90 days.
Other CAs were issuing certificates with lifespans of two years.
The CA/B Forum, a voluntary consortium of CAs, browser companies, and other partners that maintain public key infrastructure adopted ballot SC-063.
Which allows 10-day certificates, and in 2026 will allow 7-day certificates.
This pivotal change will make the ecosystem safer, reduce the toll on partners that manage the metadata chain, encourage automation, and push for the ecosystem to encrypt faster, with less overhead, and with better tools.
Chrome will require CAs in its root store to support the Automatic Certificate Management Environment protocol.
We are glad to see the continued push for HTTPS by default, without the users needing to turn it on themselves.
Its Article 45 requires browsers to display website identity with a Qualified Web Authentication Certificates issued by a government-mandated Root Certificate Authority.
These measures hinder browsers from responding if one of these CAs acts inappropriately or has bad practices around issuing certificates.
This framework enables EU governments to snoop on their residents' web traffic.
This would roll back many of the web security and privacy gains over the past decade to a new, yet unfortunately familiar, fragmented state.
We will fight to make sure HTTPS is not set up for failure in the EU. In the movement to make HTTPS the default for everyone, we also need to be vigilant about how mobile devices handle web traffic.
This Cyber News was published on www.eff.org. Publication date: Mon, 25 Dec 2023 17:43:05 +0000