Back to top

Certbot Improvements

This is an effort to improve the Certbot ACME client to ensure more secure HTTPS deployment.

Using the HTTPS protocol, and using it correctly, is a vital protection for journalists and media outlets, activists, lawyers, and other vulnerable communities around the world. Failure to use HTTPS by default leaves groups vulnerable to surveillance and high-precision censorship, based on specific web pages or their content. Failure to use HTTPS with appropriate security features leaves users vulnerable to theft of credentials and account hijacking. Building better tools for HTTPS deployment is therefore a critical security and anti-censorship task to assist vulnerable communities around the world.

The Let’s Encrypt and Certbot projects are making significant progress on the problem of ensuring that servers support HTTPS to begin with. Since launching in late 2015, Let’s Encrypt has enabled HTTPS on 40 million FQDNs across 15 million registered domain names (https://letsencrypt.org/stats/). There is now a wide diversity of ACME clients that can be used with Let’s Encrypt, but Certbot remains by far the most popular when counting by number of distinct servers, accounting for about 60% of the server IPs that deploy Let’s Encrypt certificates.

This effort to improve Cerbot includes extending the operating system support, developing a CSP reporting endpoint, enabling HSTS support, adding OCSP must-staple support and security enhancement UI updates, as well as self-hosted DNS plugins and building an integration/functionality testing framework.

Funding to date

2017
$50 400
12 months
Total funding: 
$50 400
Core issues: 
Access to the Internet Security from danger or threat online
Current project status
  • Just an Idea (Pre-alpha)
  • It Exists! (Alpha/Beta)
  • It's basically done. (Release)
  • People Use It. (Production)
Objectives
Technology development
Software or hardware development
Testing
Beneficiaries
General public
Addressed problems
Technical attacks against government critics, journalists, and/or human rights organizations (Cyberattacks)
Repressive surveillance or monitoring of communication
Technology focus
User interface/experience
Server daemon
Cryptography
Sensitive data

Get the word out