We don’t often write obituaries on Naked Security, but this is one of the times we’re going to.
You might not have heard of Peter Eckersley, PhD, but it’s very likely that you’ve relied on a cybersecurity innovation that he not only helped to found, but also to build and establish across the globe.
In fact, if you’re reading this article right on the site where it was originally published, Sophos Naked Security, you’re directly reaping the benefits of Peter’s work right now.
If you click on the padlock in your browser [2022-09-0T22:37:00Z], you’ll see that this site, like our sister blog site Sophos News, uses a web certificate that’s vouched for by Let’s Encrypt, now a well-established Certificate Authority (CA).
Let’s Encrypt, as a CA, signs TLS cryptographic certificates for free on behalf of bloggers, website owners, mail providers, cloud servers, messaging services…
…anyone, in fact, who needs or wants a vouched-for encryption certificate, subject to some easy-to-follow terms and conditions.
Remember that web certificates can’t, and don’t, vouch for the actual content that you ultimately serve up. But they do, and they can, provide evidence that you have demonstrated in some way that you actually control the internet domains that you claim to own, without which everyone could casually claim to be someone else, and anyone could easily phish or snoop on almost everyone.
A “wild idea” made real
As one of Peter’s former colleagues, Seth Schoen, wrote earlier today on the Let’s Encrypt community forum:
I’m devastated to report that Peter Eckersley […], one of the original founders of Let’s Encrypt, died earlier this evening [2022-09-02] at CPMC Davies Hospital in San Francisco.
Peter was the leader of EFF’s contributions to Let’s Encrypt and ACME over the course of several years during which these technologies turned from a wild idea into an important part of Internet infrastructure. […] You can find a very abbreviated version of this history in the Let’s Encrypt paper, to which Peter and I both contributed.
Peter had apparently revealed recently that he had been diagnosed with cancer – he turned just 43 shortly before midsummer’s day this year (or perhaps, given that he was originally from Melbourne in Australia, we should say midwinter’s day).
Making a confoundingly complex process simple, yet trustworthy
Let’s Encrypt wasn’t the first effort to try to build a free-as-in-freedom and free-as-in-beer infrastructure for online encryption certificates, but the Let’s Encrypt team was the first to build a free certificate signing system that was simple, scalable and solid.
As a result, the Let’s Encrypt project was soon able to to gain the trust of the browser making community, to the point of quickly getting accepted as a approved certificate signer (a trusted-by-default root CA, in the jargon) by most mainstream browsers.
Indeed, part of Let’s Encrypt’s appeal (and perhaps even its primary importance) is not just that you don’t have to pay a fee to get web certificates signed, but also that the whole process of generating, signing, validating, deploying and renewing certificates is free and easy (automatic, in fact!), yet safe and well thought out.
Before Let’s Encrypt, many website owners didn’t bother with HTTPS at all, and in many cases, especially for home users, charities, small businesses or hobbyists, the chief hassle wasn’t always the cost (though if you had several sites to protect, cost quickly became a big deal).
One of the chief hassles with HTTPS, until Let’s Encrypt came along, was… well, simply put, the hassle of it all.
The hassle of understanding the jargon, of generating the right sort of keypairs and certificates, of submitting the needed certificate signing requests, of actually paying the fee to have them processed, and of deploying them once the signing was done.
And then doing the same thing again, year after year, so that your keys and certificates didn’t expire and leave your visitors facing certificate warnings, or your website getting blocked.
Winning over the world
At first, the efforts of Let’s Encrypt weren’t universally popular, and some of the most vocal opponents (ironically, considering what Let’s Encrypt set out to do in terms of freedom and simplicity) came from the midst of those same hassled home users, hobbyists and boutique site operators whom we mentioned above.
A vigorous minority were somehow convinced that HTTPS was a con, a conspiracy, a cult…
…a coterie of cryptographic crusaders who were committed to compelling us all to use encryption, whether we wanted it or not.
Even for material that we wanted to make public! Even for content that was as boring and as uncontroversial as eating cornflakes for breakfast! Extra complexity with no obvious purpose! We never asked the “experts” to push HTTPS on us in the first place, not even for free!
Thanks to the perseverance, personality and persuasiveness of Peter Eckersley and his co-creators, however, we don’t hear those complaints much on Naked Security any more.
After all, end-to-end encryption of web traffic isn’t only about keeping the actual content you’re viewing confidential.
It’s also about keeping confidential the fact that you chose to view it (and when and where you did so), which really isn’t anyone else’s business.
It’s about preventing anyone who wants to from casually setting up a fake website that says it belongs to someone else, even to a well-known brand.
It’s about inhibiting the casual, continuous, warrantless surveillance of your web traffic by governments and cybercriminals alike.
And it’s about making it difficult for other internet users to fiddle with the content you’re reading along the way, or to tamper with the replies you send back, thus undetectably turning what you see and what you say into fake news, or stealing your passwords, or trashing your online reputation, or taking over your online accounts.
Ethics and safety of AI
In recent years, Peter founded the AI Objectives Institute, with the aim of ensuring that we pick the right social and economic problems to solve with AI:
We often pay more attention to how those goals are to be achieved than to what those goals should be in the first place. At the AI Objectives Institute, our goal is better goals.
To borrow the very words that Peter himself wrote to conclude his personal obituary for the late activist Aaron Schwartz, who was a close friend…
…Peter Eckersley, may you read in peace.
And thanks for Let’s Encrypt.
It really has brought HTTPS to where it belongs – everywhere.
21 comments on “Peter Eckersley, co-creator of Let’s Encrypt, dies at just 43”
Very sad when someone dies at 43.
A fitting tribute.
Was he vaxxed??
Not sure what relevance that has, but if you read some of his numerous published articles about coronavirus issues (he was determined to help us use technology to track and control the spread usefully without hurting our collective privacy), you can answer that question for yourself:
(Yes, if you must know.)
Really? Cut it out.
He had cancer. You [redacted] literally think people used to not die before this particular vaccine. Your ilk will go down as some of the [redacted].
It seems that people can’t get ill or die these days without getting hammered from two extremes by the snide (and surprisingly rarely relevant) question, “Were they vaccinated?”
If YES, then one flank will say, “Well, there you are, then. Maybe that was the problem.” If NO, another flank will come up with “Well, there you are then. Maybe that was the problem.”
If you read the article I linked to above, written by Peter in 2021-07-25, you should see that although he was clearly in favour of coronavirus vaccination as a potential way of slowing transmission and reducing how harmful its effects might be, he [a] was in no doubt that vaccination was only one part of our response [b] did not consider vaccination any sort of panacea [c] was willing to explain what he considered to be thoughtful and simple measures we could take as a co-operative society anyway. (Largely: don’t mix in big groups if you don’t need to, avoid the risk of coughing on other people by wearing a mask, and don’t panic. His opinion was that you should get vaccinated if possible, but he wasn’t about to climb onto a self-built podium and give you a lungful either way.)
As you say, Peter had cancer. He died young, after doing a bunch of fascinating computer science stuff that turned out to be surprisingly useful, technically and socially.
Thus an obituary, to celebrate what he was able to achieve, given that he didn’t get the chance to do the rest of it.
If all you have to say is, “Was he vaccinated?”, whether you are hoping to be judgmental if he wasn’t, or angry if he was, you clearly haven’t stopped to think about the zillion other things that he was and did… which is actually what this article is about.
If there’s one thing I’ll always remember about my interactions with Pete, it was his dedication to science and the scientific method.
Asking questions is the very essence of being a scientist. I’ll always cherish Pete and his questions.
To me, Pete was a man who valued communication, and the free and open exchange of ideas among inquisitive individuals.
I think he would be disgusted by this anti-scientific attitude of oppression and silence you’re advocating for.
Please, show some respect for the scientific method, and more importantly, please show some respect for Pete.
I miss you, Pete,
Just to be clear to everyone coming later: Cajko (under whose comment Samantha’s will appear as if she were replying specifically to those remarks) is not advocating for antiscience or silence. (Cajko was simply ranting about why the question “Was he vaxxed” had to come up in the first place.)
Reading about a guy whose career amounts to ‘preventing people from doing things to each other the extent of which is only limited by their creativity’, nothing could be more relevant. But reading it again I’d be looking for the radioactive isotope. I’m not making light, it seems we’ve all lost someone who would have had so much more to give.
THIS IS AN OBITUARY. Simply put, it’s belated thanks. “Lest we forget”, as they say.
At the end of an obituary, you don’t get to say, “OK, so he’s dead, BUT HERE IS A THEORY I WANT TO SHARE…”
[Which is my way of saying: THIS THREAD IS NOW CLOSED, and I guess I should never have opened it in the first place.]
Read the article. If you like the computer science stuff this man did in his lifetime, you can say so here. In fact, even if you didn’t like what he did, or disagree about its usefulness, you’re allowed to say so, although it should be something genuinely relevant and significant, because for most people you’d be intruding on grief… but you don’t have to agree with us to comment.
But if you have any theories to share that are entirely unrelated to the actual work that Peter himself was known for, this is not the site for you to do it.
Irrelevant, and stop hijacking people tragedies.
Beautiful, Duck, a really fitting tribute.
Thanks, glad you enjoyed it.
I am sure you have had this feeling, as a writer yourself, that there are some articles (notably obits, but indeed anything where all you are really doing is briefly dining out on someone else’s life story)… where it seems like cheating for people to say, “I liked your piece,”
If only you hadn’t been able to like it because I hadn’t needed to write it…
…but here we are, exchanging comments in a largely tamper-proof way, on the site that’s a large part of my life these days, thanks to Let’s Encrypt. (Sure, we had TLS certificates before, but never with the same simplicity and the feeling that “if only it had ever been thus.”)
As Kurt Vonnegut said, “So it goes.”
Thanks Paul. Yes, the gravity is heavy today.
It’s very sad to leave at that age. thank you very much for helping to democratize HTTPS.
I always liked Sophos and their integrity, I also believed that https was essential not only for banking but everything. Concerning Mr Eckersley, my admiration and gratitude. A man with a mission is done right after accomplishing it successfully. May the almighty take him in.
Thank you and RIP Peter. I am in the web hosting industry and have seen how the Internet has evolved to use HTTPS thanks to Let’s Encrypt. You have made securing a website much easy and better.
Thanks Paul for bringing behind the scene character to front. It is always fascinating to read your articles.
One of my favorite types of articles here. Duck is great at them.
Five female technoheroes you might never have heard of…