Secure that site with LetsEncrypt4 min read
February 4, 2016You have heard about someone offering free (as in beer) website certificates (aka SSL certificates) for your website. Whoever told you this was not lying. It’s actually quite true! With the revelations regarding shady dealings with intelligence agencies, law enforcement, ISP and black-hat crackers (i.e., your “cyber-thieves”), there’s been an industry-wide push to secure communications. Letsencrypt.org was founded to help address some of the issues in the web industry that led to the widespread failure of website owners and operators in obtaining secure certificates.
HTTPS/SSL in a nutshell
The average website you visit is typically accessed over HTTP (HyperText Transport Protocol). Accessing a site over HTTPS (HyperText Transfer Protocol Secure) is a different process from HTTP. Accessing a site over HTTP makes your traffic visible to everyone on the network. Using tools like WireShark, if you were to park yourself at the point where your network meets the internet, you’d be able to see all the traffic (URLs, content, form data) of people on your network. This is how people perform Man-in-the-Middle (MITM) attacks. In a MITM attack, someone sits on the connection between two networks and just eavesdrops on the data going back and forth. Also, by being in the middle of the communication stream, the attacker could modify the contents going back and forth, sending you malicious data and changing what you are transmitting to the server.
HTTPS addresses this by creating a connection to the server where your traffic becomes encrypted. This means that if someone were to be snooping on your traffic, they wouldn’t be able to interpret it*. To have your site perform this HTTPS action, you need these things called “certificates”. Certificates are used by the browser and server to confirm that the website you are connecting to is the real thing, and not some random server impersonating a website. For example, to prevent some random person proclaiming that their site is the real Amazon.com, we have these organizations called “Certificate Authorities” or “CAs”. They digitally sign certificates after confirming the identity of the owner. Because these companies have been around a while and are trusted for one reason or another, they have become the de-facto people in charge of certificate issuance and verification. As a result, your web browser has a special list of records that it uses to cross check a certificate with the CA that issued it. This allows your browser to tell you if the certificate from Amazon.com was really given out by Symantec. A mismatch would mean that the certificate is a fake and now someone is running around posing as someone else.
Now, the reason you don’t see every site using HTTPS is because CAs charge money to get a certificate… and it used to be quite expensive. I can only assume that this is due to the time and effort involved in verifying the identity of the person registering for a certificate to make sure they own the website it’s being issued for. Furthermore, certificates do not last forever; certificates also expire, like domains, requiring a re-purchase. One additional worry is that, if your certificate were to be compromised, then you’d need to revoke the certificate. This would mean you’d have to obtain a new certificate, which may take time. For people not running e-commerce sites, or sites that don’t require logins, buying a certificate didn’t make financial sense. Depending on the number of domains and the type of certificate you buy, the costs can add up very quickly.
How LetsEncypt fixes this
So with lots of websites out there being accessed insecurely, LetsEncrypt was created to allow hosting companies to register and create a simple domain validation certificate. The service offered by LetsEncrypt costs nothing. The host company just needs to run a simple script on the server to install the certificate for a given domain. Acquisition should take less than a minute. In comparison, getting a regular SSL certificate can take days! The certificate, once installed, will work just like a regular paid-for certificate. You can also request multi-domain certificates with LetsEncrypt, so you can have several of your own websites share one certificate. I would caution however, that this service should not be used in it’s current state for e-commerce or sites demanding high-reliability. Since the process is still in a developmental stage, it should only be used by those who don’t mind a few hiccups. It should also be noted that Google has indicated that it will start penalizing sites that do not offer secured login pages.
If you want to learn more, this video featuring Seth Schoen from the Electronic Frontier Foundation explains the how and whys of LetsEncypt.
*This assumes they do not have the decryption keys