You have heard about someone offering free (as in beer) website certificates (aka SSL certificates) for your website. Whoever told you this was not lying. It’s actually quite true! With the revelations regarding shady dealings with intelligence agencies, law enforcement, ISP and black-hat crackers (i.e., your “cyber-thieves”), there’s been an industry-wide push to secure communications. Letsencrypt.org was founded to help address some of the issues in the web industry that led to the widespread failure of website owners and operators in obtaining secure certificates.
HTTPS/SSL in a nutshell
The average website you visit is typically accessed over HTTP (HyperText Transport Protocol). Accessing a site over HTTPS (HyperText Transfer Protocol Secure) is a different process from HTTP. Accessing a site over HTTP makes your traffic visible to everyone on the network. Using tools like WireShark, if you were to park yourself at the point where your network meets the internet, you’d be able to see all the traffic (URLs, content, form data) of people on your network. This is how people perform Man-in-the-Middle (MITM) attacks. In a MITM attack, someone sits on the connection between two networks and just eavesdrops on the data going back and forth. Also, by being in the middle of the communication stream, the attacker could modify the contents going back and forth, sending you malicious data and changing what you are transmitting to the server.
Now, the reason you don’t see every site using HTTPS is because CAs charge money to get a certificate… and it used to be quite expensive. I can only assume that this is due to the time and effort involved in verifying the identity of the person registering for a certificate to make sure they own the website it’s being issued for. Furthermore, certificates do not last forever; certificates also expire, like domains, requiring a re-purchase. One additional worry is that, if your certificate were to be compromised, then you’d need to revoke the certificate. This would mean you’d have to obtain a new certificate, which may take time. For people not running e-commerce sites, or sites that don’t require logins, buying a certificate didn’t make financial sense. Depending on the number of domains and the type of certificate you buy, the costs can add up very quickly.
How LetsEncypt fixes this
So with lots of websites out there being accessed insecurely, LetsEncrypt was created to allow hosting companies to register and create a simple domain validation certificate. The service offered by LetsEncrypt costs nothing. The host company just needs to run a simple script on the server to install the certificate for a given domain. Acquisition should take less than a minute. In comparison, getting a regular SSL certificate can take days! The certificate, once installed, will work just like a regular paid-for certificate. You can also request multi-domain certificates with LetsEncrypt, so you can have several of your own websites share one certificate. I would caution however, that this service should not be used in it’s current state for e-commerce or sites demanding high-reliability. Since the process is still in a developmental stage, it should only be used by those who don’t mind a few hiccups. It should also be noted that Google has indicated that it will start penalizing sites that do not offer secured login pages.
If you want to learn more, this video featuring Seth Schoen from the Electronic Frontier Foundation explains the how and whys of LetsEncypt.
*This assumes they do not have the decryption keys