How to Use — and Why You Need — Let’s Encrypt More Than Ever
By: Steven J. Vaughan-Nichols
The free, automated and open certificate authority confers all sorts of benefits to your website.
Want a quick and easy way to add Secure-Socket Layer/Transport Layer Security (SSL/TLS) to your website? You should. Google penalizes your site’s PageRank if you don’t have it. If you have an e-commerce site, there’s even worse news. Chrome web browser users will find your payment pages marked unsafe. That’s one way to close your business down in a hurry.
There are many ways to add an SSL certificate to your website. The easiest and cheapest way is with the Internet Security Research Group’s (ISRG) Let’s Encrypt project.
Let’s Encrypt is designed to provide free, automated, and open security certificate authority (CA) for everyone. It enables website owners to get security certificates within minutes. This means everyone gets a safer web experience.
We’ve known since Firesheep showed us your login could be easily stolen over WiFi that we needed every website to be encrypted. While over 50 percent of sites that connect using Google Chrome are now secure, the expense and trouble of installing certificates has delayed this natural move. I mean, who doesn’t want a more secure website?
“Encryption should be the default for the web,” said Josh Aas, the ISRG’s executive director and senior technology strategist at Mozilla when Let’s Encrypt was formed in 2014. “The web is a complicated place these days; it’s difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone’s private data and information is protected while in transit over the web is to encrypt everything. Let’s Encrypt simplifies this.”
Indeed it has. Within a year of its launch, Let’s Encrypt has issued its millionth SSL certificate.
Key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at zero, zilch, nada cost.
- Automatic: Software running on a webserver can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will advance TLS security best practices, both on the Certificate Authority (CA) side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
- Cooperative: Much like the Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond any one organization’s control.
Technically, Let’s Encrypt management software uses Automated Certificate Management Environment (ACME) to:
- Automatically prove to the Let’s Encrypt CA that you control the website.
- Obtain a browser-trusted certificate and set it up on your web server.
- Keep track of when your certificate will expire, and automatically renew it.
- Help you revoke the certificate if that ever becomes necessary.
That all sounds good, and it is, but there’s a catch. Let’s Encrypt has no mechanism to check if a certificate should be given. It turns out that hackers are misusing Let’s Encrypt certificates to help hide malicious websites as sites coming from such companies as Apple, Google, and PayPal.
As the WordFence security team points out, “The Let’s Encrypt team must start doing keyword searches on SSL certificate applications. This can be fully automated and Lets Encrypt needs to reject certificates that contain strings like ‘.apple.com,’ ‘paypal.com,’ ‘.google.com’ and other common phishing patterns.”
This is a worry. If I were running an e-commerce site, I’d use an extended validation (EV) SSL certificate from a well-regarded CA. To find the right commercial certificate for you check out the recommendations at SSL Shopper.
For the rest of us, a Let’s Encrypt certificate should do fine. For the technical how-to details see: Install Let’s Encrypt to Create SSL Certificates. Linode’s SSL Certificates page offers other technical SSL certificate details.
Security and trust. Your website gets both with Let’s Encrypt.
My recommendation: you need it, so you might as well use it.
Please feel free to share below any comments or insights about your experience with Let’s Encrypt. And if you found this blog useful, please consider sharing it through social media.
About the blogger: Steven J. Vaughan-Nichols is a veteran IT journalist whose estimable work can be found on a host of channels, including ZDNet.com, PC Magazine, InfoWorld, ComputerWorld, Linux Today and eWEEK. Steven’s IT expertise comes without parallel — he has even been a Jeopardy! clue. And while his views and cloud situations are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Twitter (@sjvn).