You’ve seen it before, that little lock next to the URL on a website. Typically, we associate it with banking, or online shopping, or something else that needs to be “secure”. I am of the opinion though, that every single website should be using that security. Just this month that became a real possibility via LetsEncrypt.
So there’s a problem with SSL (or actually, what you really want: TLS) certificates. Most of the time, they cost money. Not a lot, but if you have a handful of domains that you’re doing something with, it can add up pretty quick. And if you want to spin up something quick that you don’t know how long it’ll last, it’s also costly.
Following the Snowden revelations of vast governmental agency abuse of power, it became clear that there ought to be a way to secure all websites, everywhere. If you want to provide security and privacy to everyone everywhere, you kind of have to do it for free.
That’s where LetsEncrypt comes in. It’s a tool for generating, and deploying SSL certificates on web servers. This means if you run your own blog, website, web app, etc, you can easily get a certificate – which means that people accessing your site are sending their information encrypted.
But, why?
Some people might say “Why is that important? Does it really matter if someone knows what websites I go to? I’ve got nothing to hide!” That may be true, you may have nothing to hide. However, you may someday have something that you want to hide. Something that is legal, ethical, and you’re just not ready to share yet. It’s your decision whether you want to share that though. Additionally and more importantly: If you’re using a website, whatever data you’re sending to that site should be encrypted. If you’re running a WordPress installation on your own server and you don’t have a Certificate, every time you log in, you’re sending your password in the clear. On wifi and an unencrypted network? Anyone around you could be picking up your password (Hope you don’t use that password anywhere else.)
The caveats
Lets Encrypt is not yet a tool for a novice. It requires a few steps, a few instructions which can be kind of a pain. It’s mostly focused on running on your own web server, which means that if you’re just generating certificates for a shared host, you have to walk through a bit of a process to do it. Still, the tradeoff to me is worth it.
I cannot tell you how delighted I am to see this:
There’s really no reason left not to have secure communications for everything everywhere. I could not be more delighted that we’re where we are. It’s easy to get going on secure web communications. If you use Dreamhost like I do, following this article should get you there.
Let´s Encrypt looks like great way to get your website to HTTPS protocol. On your own server it is really simple. Same as your host provide the automatically set up. But till now I am not sure about the trustworthy and this free certificates in the future. Nowdays you can see some problems with phishing website with https becuse of any real validation.
If I can choose, i will prefer free SSL certificate Basic DV https://magazin.sslmarket.de/inpage/lets-encrypt-vs-basic-dv-von-symantec-ein-vergleich/
I agree with you to an extent Marcus – but that is an adjustment we need to make. The important thing here is not a factor of identity, but a factor of security. There’s definitely a component of education that needs to happen with people generally – understanding that they need to verify the SSL cert identifies the correct party, and that simply having a certificate isn’t enough to prove that a party is who they say they are. We should all be using SSL certificates in any regard, and Let’s Encrypt makes that possible.